import java.security.cert.X509Certificate
import okio.Buffer
import okio.ByteString
import okio.ByteString.Companion.toByteString

/**
 * Decodes a multiline string that contains a [certificate][certificatePem] which is
 * [PEM-encoded][rfc_7468]. A typical input string looks like this:
 *
 * ```
 * -----BEGIN CERTIFICATE-----
 * MIIBYTCCAQegAwIBAgIBKjAKBggqhkjOPQQDAjApMRQwEgYDVQQLEwtlbmdpbmVl

	privateKeyBlock := &pem.Block{
		Type:  "RSA PRIVATE KEY",
		Bytes: privateKeyBytes,
	}
	privatePem, err := os.Create("support_private.pem")
	if err != nil {
		fmt.Printf("error when create private.pem: %s n", err)
		os.Exit(1)
	}
	err = pem.Encode(privatePem, privateKeyBlock)
	if err != nil {
		fmt.Printf("error when encode private pem: %s n", err)
		os.Exit(1)
	}

import okhttp3.tls.decodeCertificatePem

class CustomTrust {
  // PEM files for root certificates of Comodo and Entrust. These two CAs are sufficient to view
  // https://publicobject.com (Comodo) and https://squareup.com (Entrust). But they aren't
  // sufficient to connect to most HTTPS sites including https://godaddy.com and https://visa.com.
  // Typically developers will need to get a PEM file from their organization's TLS administrator.

	data = bytes.TrimSpace(data)

	// Parse all certs in the chain.
	current := data
	for len(current) > 0 {
		var pemBlock *pem.Block
		if pemBlock, current = pem.Decode(current); pemBlock == nil {
			return nil, ErrTLSUnexpectedData(nil).Msgf("Could not read PEM block from file %s", certFile)
		}

		var x509Cert *x509.Certificate
		if x509Cert, err = x509.ParseCertificate(pemBlock.Bytes); err != nil {

  )
  fun keyPair(): KeyPair = keyPair

  /**
   * Returns the certificate encoded in [PEM format][rfc_7468].
   *
   * [rfc_7468]: https://tools.ietf.org/html/rfc7468
   */
  fun certificatePem(): String = certificate.certificatePem()

  /**
   * Returns the private key encoded in [PKCS #8][rfc_5208] [PEM format][rfc_7468].
   *
   * [rfc_5208]: https://tools.ietf.org/html/rfc5208

    .build();
OkHttpClient client = new OkHttpClient.Builder()
    .sslSocketFactory(clientCertificates.sslSocketFactory(), clientCertificates.trustManager())
    .build();
```

PEM files
---------

You can encode a `HeldCertificate` in PEM format:

```java
HeldCertificate heldCertificate = ...
System.out.println(heldCertificate.certificatePem())
```

```
-----BEGIN CERTIFICATE-----

          }

          println(response.body!!.string())
        }
      }

      /**
       * Returns an input stream containing one or more certificate PEM files. This implementation just
       * embeds the PEM files in Java strings; most applications will instead read this from a resource
       * file that gets bundled with the application.
       */

					if err != nil {
						return tls.Certificate{}, fmt.Errorf("Unable to decrypt KES client private key as specified by the shell environment: %v", err)
					}
					keyBytes = pem.EncodeToMemory(&pem.Block{Type: privateKeyPEM.Type, Bytes: keyBytes})
				}
				certificate, err := tls.X509KeyPair(certBytes, keyBytes)
				if err != nil {

* 3.3 [Use OpenSSL (with IP address) to Generate a Certificate](#using-open-ssl-with-ip)
* 3.4 [Use GnuTLS (for Windows) to Generate a Certificate](#using-gnu-tls)

**Note:**

* MinIO only supports keys and certificates in PEM format on Linux and Windows.
* MinIO doesn't currently support PFX certificates.

### 3.1 Use `certgen` to Generate a Certificate

	if err != nil {
		return nil, nil, fmt.Errorf("Failed to create certificate: %w", err)
	}

	certOut := bytes.NewBuffer([]byte{})
	pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes})

	keyOut := bytes.NewBuffer([]byte{})
	pem.Encode(keyOut, pemBlockForKey(priv))

	return certOut.Bytes(), keyOut.Bytes(), nil
}