* ```
 *
 * In this example the HTTP client already knows and trusts the last certificate, "Entrust Root
 * Certification Authority - G2". That certificate is used to verify the signature of the
 * intermediate certificate, "Entrust Certification Authority - L1M". The intermediate certificate
 * is used to verify the signature of the "www.squareup.com" certificate.
 *

        "DigiCert",
        "Let's Encrypt",
        "ISRG", // Internet Security Research Group (Let's Encrypt parent)
        "GlobalSign",
        "Comodo",
        "Sectigo",
        "GeoTrust",
        "Entrust",
      )
    assertThat(names).matchesPredicate { strings ->
      strings.any { name -> majorIssuers.any { issuer -> name.contains(issuer, ignoreCase = true) } }
    }
  }

MockWebServer server = new MockWebServer();
server.useHttps(serverCertificates.sslSocketFactory(), false);
```

`HandshakeCertificates` also works for clients where its job is to define which root certificates
to trust. In this simplified example we trust the server's self-signed certificate:

```java
HandshakeCertificates clientCertificates = new HandshakeCertificates.Builder()
    .addTrustedCertificate(localhostCertificate.certificate())
    .build();

 *
 * Supported on OpenJDK 8 via the JettyALPN-boot library or Conscrypt.
 *
 * Supported on OpenJDK 9+ via SSLParameters and SSLSocket features.
 *
 * ### Trust Manager Extraction
 *
 * Supported on Android 2.3+ and OpenJDK 7+. There are no public APIs to recover the trust
 * manager that was used to create an [SSLSocketFactory].
 *
 * Not supported by choice on JDK9+ due to access checks.
 *
 * ### Android Cleartext Permit Detection

  avatarUrl: https://avatars.githubusercontent.com/u/2546697?u=a027452387d85bd4a14834e19d716c99255fb3b7&v=4
  url: https://github.com/jekirl
hitrust:
  login: hitrust
  count: 4
  avatarUrl: https://avatars.githubusercontent.com/u/3360631?u=5fa1f475ad784d64eb9666bdd43cc4d285dcc773&v=4
  url: https://github.com/hitrust
ShahriyarR:
  login: ShahriyarR
  count: 4

Nevertheless, as the **application server** doesn't know it is behind a trusted **proxy**, by default, it wouldn't trust those headers.

But you can configure the **application server** to trust the *forwarded* headers sent by the **proxy**. If you are using FastAPI CLI, you can use the *CLI Option* `--forwarded-allow-ips` to tell it from which IPs it should trust those *forwarded* headers.

      )
    factory.init(null as KeyStore?)
    val trustManagers = factory.trustManagers!!
    check(trustManagers.size == 1 && trustManagers[0] is X509TrustManager) {
      "Unexpected default trust managers: ${trustManagers.contentToString()}"
    }
    return trustManagers[0] as X509TrustManager
  }

  override fun trustManager(sslSocketFactory: SSLSocketFactory): X509TrustManager =

Then the malicious website could make the local AI agent send angry messages to the user's ex-boss... or worse. 😅

## Open Internet { #open-internet }

If your app is in the open internet, you wouldn't "trust the network" and let anyone send privileged requests without authentication.

```

If you see a warning message like `gpg: WARNING: This key is not certified with a trusted signature!`, you can locally sign the Gradle key after importing it.
This tells your GPG installation that you trust this key and will prevent the warning from appearing again.

To do this, run the following command:

```bash
gpg --sign-key 1BD97A6A154E7810EE0BC832E2F38302C8075E3D
```

## Public Key Block in ascii-armored format

        provider,
      )
    factory.init(null as KeyStore?)
    val trustManagers = factory.trustManagers!!
    check(trustManagers.size == 1 && trustManagers[0] is X509TrustManager) {
      "Unexpected default trust managers: ${trustManagers.contentToString()}"
    }
    return trustManagers[0] as X509TrustManager
  }

  override fun trustManager(sslSocketFactory: SSLSocketFactory): X509TrustManager =