final String authorities = fessConfig.getFesenHttpSslCertificateAuthorities();
        if (StringUtil.isNotBlank(authorities)) {
            if (logger.isDebugEnabled()) {
                logger.debug("Loading certificate_authorities: path={}", authorities);
            }
            try (final InputStream in = new FileInputStream(authorities)) {

signs the other party's chain.

Well-Known Certificate Authorities
----------------------------------

In these examples we've prearranged which root certificates to trust. But for regular HTTPS on the
Internet this set of trusted root certificates is usually provided by default by the host platform.
Such a set typically includes many root certificates from well-known certificate authorities like
Entrust and Verisign.

and increase connectivity with web servers.

### Certificate Pinning ([.kt][CertificatePinningKotlin], [.java][CertificatePinningJava])

import okio.ByteString.Companion.toByteString

/**
 * Constrains which certificates are trusted. Pinning certificates defends against attacks on
 * certificate authorities. It also prevents connections through man-in-the-middle certificate
 * authorities either known or unknown to the application's user.
 * This class currently pins a certificate's Subject Public Key Info as described on

 * chain. The chain terminates in a self-signed "root" certificate. Signing certificates in the
 * middle of the chain are called "intermediates". Organizations that offer certificate signing are
 * called certificate authorities (CAs).
 *
 * Browsers and other HTTP clients need a set of trusted root certificates to authenticate their
 * peers. Sets of root certificates are managed by either the HTTP client (like Firefox), or the

            builder.put(Constants.FESEN_PASSWORD, password);
        }
        final String authorities = fessConfig.getFesenHttpSslCertificateAuthorities();
        if (StringUtil.isNotBlank(authorities)) {
            builder.put("http.ssl.certificate_authorities", authorities);
        }
        return new HttpClient(builder.build(), null);
    }

    /**

     * connections rely on only the [SSL socket factory][sslSocketFactory] to establish trust.
     * Pinning certificates avoids the need to trust certificate authorities.
     */
    fun certificatePinner(certificatePinner: CertificatePinner) =
      apply {
        if (certificatePinner != this.certificatePinner) {
          this.routeDatabase = null
        }

search_engine.type=default
# The URL of the search engine HTTP endpoint.
# For IPv6 environments, use brackets around the IPv6 address (e.g., http://[::1]:9201)
search_engine.http.url=http://localhost:9201
# Path to SSL certificate authorities for secure HTTP connections.
search_engine.http.ssl.certificate_authorities=
# Username for authenticating to the search engine.
search_engine.username=
# Password for authenticating to the search engine.

- Kubelet: if the `--client-ca-file` is updated while kubelet is running, the updated root certificates are now correctly used to advertise accepted authorities to TLS clients connecting to the kubelet endpoints. This behavior is guarded by the `ReloadKubeletClientCAFile` feature gate, which is enabled by default. ([#136762](https://github.com/kubernetes/kubernetes/pull/136762), [@HarshalNeelkamal](htt...

    String getSearchEngineHttpUrl();

    /**
     * Get the value for the key 'search_engine.http.ssl.certificate_authorities'. <br>
     * The value is, e.g.  <br>
     * comment: Path to SSL certificate authorities for secure HTTP connections.
     * @return The value of found property. (NotNull: if not found, exception but basically no way)
     */
    String getSearchEngineHttpSslCertificateAuthorities();

    /**