* A criptografia da conexão acontece no nível TCP.
    * Essa é uma camada abaixo do HTTP.
    * Portanto, o manuseio do certificado e da criptografia é feito antes do HTTP.
* O TCP não sabe sobre "domínios". Apenas sobre endereços IP.
    * As informações sobre o domínio solicitado vão nos dados HTTP.
* Os certificados HTTPS “certificam” um determinado domínio, mas o protocolo e a encriptação acontecem ao nível do TCP, antes de sabermos de que domínio se trata.

Maintenant, du point de vue d'un développeur, voici plusieurs choses à avoir en tête en pensant au HTTPS :

* Pour le HTTPS, le serveur a besoin de "certificats" générés par une tierce partie.
    * Ces certificats sont en fait acquis auprès de la tierce partie, et non "générés".
* Les certificats ont une durée de vie.
    * Ils expirent.
    * Puis ils doivent être renouvelés et acquis à nouveau auprès de la tierce partie.

// password protected.
const EnvCertPassword = "MINIO_CERT_PASSWD"

// ParsePublicCertFile - parses public cert into its *x509.Certificate equivalent.
func ParsePublicCertFile(certFile string) (x509Certs []*x509.Certificate, err error) {
	// Read certificate file.
	var data []byte
	if data, err = os.ReadFile(certFile); err != nil {
		return nil, err
	}

	// Trimming leading and tailing white spaces.

In this case, it would use the certificate for `someapp.example.com`.

<img src="/img/deployment/https/https03.svg">

The client already **trusts** the entity that generated that TLS certificate (in this case Let's Encrypt, but we'll see about that later), so it can **verify** that the certificate is valid.

	// configured expiry and the duration until the certificate itself
	// expires.
	// We must not issue credentials that out-live the certificate.
	if validUntil := time.Until(certificate.NotAfter); validUntil < expiry {
		expiry = validUntil
	}

	// Associate any service accounts to the certificate CN
	parentUser := "tls" + getKeySeparator() + certificate.Subject.CommonName

* If a socket is not found, istio-agent then checks whether certificate files are present or not on the defined **certificate path** `/var/run/secrets/workload-spiffe-credentials`. If certificate files are found, istio-agent will start its own SDS Server, listening and serving these certificates on the defined **socket path** `/var/run/secrets/workload-spiffe-uds/socket`,

			Sensitive:   true,
			Secret:      true,
		},
		config.HelpKV{
			Key:         ClientCert,
			Description: "mTLS certificate for webhook authentication",
			Optional:    true,
			Type:        "string",
			Sensitive:   true,
		},
		config.HelpKV{
			Key:         ClientKey,
			Description: "mTLS certificate key for webhook authentication",
			Optional:    true,
			Type:        "string",
			Sensitive:   true,
		},

				}
				certificate, err := tls.X509KeyPair(certBytes, keyBytes)
				if err != nil {
					return tls.Certificate{}, fmt.Errorf("Unable to load KES client certificate as specified by the shell environment: %v", err)
				}
				return certificate, nil
			}

                    final SSLHostConfigCertificate certificate =
                            new SSLHostConfigCertificate(sslHostConfig, SSLHostConfigCertificate.Type.UNDEFINED);
                    doSetupServerConfig(logger, props, "certificateKeystoreFile", v -> certificate.setCertificateKeystoreFile(v));
                    doSetupServerConfig(logger, props, "certificateKeystorePassword", v -> certificate.setCertificateKeystorePassword(v));

		}
		// If all secrets have a trust domain, we are probably dealing with trust domain federation, so print trust domains.
		// Otherwise, do not do that, because we do not know how to determine that information from the certificate,
		// so the output would be confusing.
		if !hasUnknownTrustDomain {
			fmt.Fprintf(tw, "%s\t%s\t%s\t%t\t%s\t%s\t%s\t%s\n",