)
      val subject: List<List<AttributeTypeAndValue>> = subject()

      // Issuer/signer keys & identity. May be the subject if it is self-signed.
      val issuerKeyPair: KeyPair
      val issuer: List<List<AttributeTypeAndValue>>
      if (signedBy != null) {
        issuerKeyPair = signedBy!!.keyPair
        issuer =
          CertificateAdapters.rdnSequence.fromDer(
            signedBy!!

    }
    this.subjectToCaCerts = map
  }

  override fun findByIssuerAndSignature(cert: X509Certificate): X509Certificate? {
    val issuer = cert.issuerX500Principal
    val subjectCaCerts = subjectToCaCerts[issuer] ?: return null

    return subjectCaCerts.firstOrNull {
      try {
        cert.verify(it.publicKey)
        return@firstOrNull true
      } catch (_: Exception) {

            signature =
              AlgorithmIdentifier(
                algorithm = SHA256_WITH_RSA_ENCRYPTION,
                parameters = null,
              ),
            issuer =
              listOf(
                listOf(
                  AttributeTypeAndValue(
                    type = COMMON_NAME,
                    value = "cash.app",
                  ),
                ),

  /**
   * ```
   * TBSCertificate ::= SEQUENCE  {
   *   version         [0]  EXPLICIT Version DEFAULT v1,
   *   serialNumber         CertificateSerialNumber,
   *   signature            AlgorithmIdentifier,
   *   issuer               Name,
   *   validity             Validity,
   *   subject              Name,
   *   subjectPublicKeyInfo SubjectPublicKeyInfo,

## Prerequisites

Install Dex by following [Dex Getting Started Guide](https://dexidp.io/docs/getting-started/)

### Start Dex

```
~ ./bin/dex serve dex.yaml
time="2020-07-12T20:45:50Z" level=info msg="config issuer: http://127.0.0.1:5556/dex"
time="2020-07-12T20:45:50Z" level=info msg="config storage: sqlite3"
time="2020-07-12T20:45:50Z" level=info msg="config static client: Example App"

    val names =
      acceptedIssuers
        .map { it.subjectDN.name }
        .toSet()

    // It's safe to assume all platforms will have a major Internet certificate issuer.
    assertThat(names).matchesPredicate { strings ->
      strings.any { it.matches(Regex("[A-Z]+=Entrust.*")) }
    }
  }

  private fun startTlsServer(): InetSocketAddress {

| azp        | _string_       | The authorized party for which the token is issued to. The client identifier of the OAuth client that the token is issued for, is sent herewith.                                        |

The following self-signed certificate is issued for `consoleAdmin`. So, MinIO would associate it with the pre-defined `consoleAdmin` policy.

```
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            35:ac:60:46:ad:8d:de:18:dc:0b:f6:98:14:ee:89:e8
        Signature Algorithm: ED25519
        Issuer: CN = consoleAdmin
        Validity

	claims[expClaim] = UTCNow().Add(expiry).Unix()
	claims[subClaim] = certificate.Subject.CommonName
	claims[audClaim] = certificate.Subject.Organization
	claims[issClaim] = certificate.Issuer.CommonName
	claims[parentClaim] = parentUser
	tokenRevokeType := r.Form.Get(stsRevokeTokenType)
	if tokenRevokeType != "" {
		claims[tokenRevokeTypeClaim] = tokenRevokeType
	}

#### What this PR does / why we need it:

#### Which issue(s) this PR is related to:
<!--
Please link relevant issues to help with tracking.

To automatically close the linked issue(s) when this PR is merged,
add the word "Fixes" before the issue number or link.
Do not use "Fixes" if the PR is of kind `failing-test` or `flake`.

Reference KEPs when applicable in addition to specific issues.

Examples:
Fixes #<issue number>