.certificateAuthority(0)
        .commonName("compromised intermediate")
        .signedBy(pinnedRoot)
        .build()
    val attackerIntermediate =
      HeldCertificate
        .Builder()
        .keyPair(attackerCa.keyPair) // Share keys between compromised CA and intermediate!
        .serialNumber(4L)
        .certificateAuthority(0) // More intermediates than permitted by signer!
        .commonName("attacker intermediate")

      this.intermediates = arrayOf(*intermediates) // Defensive copy.
    }

    /**
     * Add a trusted root certificate to use when authenticating a peer. Peers must provide
     * a chain of certificates whose root is one of these.
     */
    fun addTrustedCertificate(certificate: X509Certificate) =
      apply {
        this.trustedCertificates += certificate
      }

    /**

  private fun buildClient(
    heldCertificate: HeldCertificate?,
    vararg intermediates: X509Certificate,
  ): OkHttpClient {
    val builder =
      HandshakeCertificates
        .Builder()
        .addTrustedCertificate(serverRootCa.certificate)
    if (heldCertificate != null) {
      builder.heldCertificate(heldCertificate, *intermediates)
    }
    val handshakeCertificates = builder.build()
    return clientTestRule

				intermediates = x509.NewCertPool()
			}
			intermediates.AddCert(cert)
		} else {
			peerCertificates = append(peerCertificates, cert)
		}
	}
	r.TLS.PeerCertificates = peerCertificates

	// Now, we have to check that the client has provided exactly one leaf
	// certificate that we can map to a policy.
	if len(r.TLS.PeerCertificates) == 0 {

representative of real-world HTTPS deployment. To get closer to that we can use `HeldCertificate`
to generate a trusted root certificate, an intermediate certificate, and a server certificate.
We use `certificateAuthority(int)` to create certificates that can sign other certificates. The
int specifies how many intermediate certificates are allowed beneath it in the chain.

```java
HeldCertificate rootCertificate = new HeldCertificate.Builder()

 *  Fix: Don't crash loading the public suffix database resource in obfuscated builds.
 *  Fix: Don't silently ignore calls to `EventSource.cancel()` made from
    `EventSourceListener.onOpen()`.
 *  Fix: Enforce the max intermediates constraint when using pinned certificates with Conscrypt.
    This impacts Conscrypt when the server's presented certificates form both a trusted-but-unpinned
    chain and an untrusted-but-pinned chain.

    }

    /**
     * Mark this referral as intermediate (requires further resolution)
     */
    public void intermediate() {
        this.intermediate = true;
    }

    /**
     * @return the intermediate
     */
    @Override
    public boolean isIntermediate() {
        return this.intermediate;
    }

    @Override
    public String toString() {

        @DisplayName("Should handle combine with intermediate flag")
        void testCombineWithIntermediateFlag() {
            // Create two referrals
            DfsReferralDataImpl first = createInitializedDfsReferralDataImpl();
            DfsReferralDataImpl second = createInitializedDfsReferralDataImpl();

            // Set intermediate flag on first
            first.intermediate();
            assertTrue(first.isIntermediate());

        GsaConfigException exception = new GsaConfigException("Top level GSA error", intermediateCause);

        assertNotNull(exception);
        assertEquals("Top level GSA error", exception.getMessage());

        // Check first level cause
        assertNotNull(exception.getCause());
        assertEquals("Intermediate problem", exception.getCause().getMessage());

    void testExceptionChaining() {
        // Given
        Exception rootCause = new IllegalStateException("Root error");
        RuntimeCIFSException intermediateCause = new RuntimeCIFSException("Intermediate", rootCause);

        // When
        RuntimeCIFSException finalException = new RuntimeCIFSException("Final error", intermediateCause);

        // Then