```
kubectl -n minio create secret generic minio-trusted-certs --from-file=keycloak.crt
```

The name of the generated secret can then be passed to Helm using a values file or the `--set` parameter:

```
trustedCertsSecret: "minio-trusted-certs"

or

--set trustedCertsSecret=minio-trusted-certs
```

### Create buckets after install

 * limitations under the License.
 */
package okhttp3.internal.tls

import java.security.cert.X509Certificate

fun interface TrustRootIndex {
  /** Returns the trusted CA certificate that signed [cert]. */
  fun findByIssuerAndSignature(cert: X509Certificate): X509Certificate?

 * limitations under the License.
 */
package okhttp3.internal.tls

import java.security.cert.X509Certificate
import javax.security.auth.x500.X500Principal

/** A simple index that of trusted root certificates that have been loaded into memory. */
class BasicTrustRootIndex(vararg caCerts: X509Certificate) : TrustRootIndex {
  private val subjectToCaCerts: Map<X500Principal, Set<X509Certificate>>

  init {

    enum class Type {
      Handshake,
      Plaintext,
      Encrypted,
      Setup,
      Unknown,
    }

    val type: Type
      get() =
        when {
          message == "adding as trusted certificates" -> Type.Setup
          message == "Raw read" || message == "Raw write" -> Type.Encrypted
          message == "Plaintext before ENCRYPTION" || message == "Plaintext after DECRYPTION" -> Type.Plaintext

Use [CertificatePinner](https://square.github.io/okhttp/4.x/okhttp/okhttp3/-certificate-pinner/) to restrict which certificates and certificate authorities are trusted. Certificate pinning increases security, but limits your server team’s abilities to update their TLS certificates. **Do not use certificate pinning without the blessing of your server’s TLS administrator!**

        selfSigned.certificate,
        trusted.certificate,
      )
    assertThat(cleaner.clean(list(certB, certA), "hostname")).isEqualTo(
      list(certB, certA, trusted, selfSigned),
    )
    assertThat(cleaner.clean(list(certB, certA, trusted), "hostname")).isEqualTo(
      list(certB, certA, trusted, selfSigned),
    )
    assertThat(cleaner.clean(list(certB, certA, trusted, selfSigned), "hostname"))
      .isEqualTo(

   *
   *
   * The victim's gets a non-CA certificate signed by a CA, and pins the CA root and/or
   * intermediate. This is business as usual.
   *
   * ```
   *   pinnedRoot (trusted by CertificatePinner)
   *     -> pinnedIntermediate (trusted by CertificatePinner)
   *       -> realVictim
   * ```
   *
   * The attacker compromises a CA. They take the public key from an intermediate certificate

      val toVerify = result[result.size - 1] as X509Certificate

      // If this cert has been signed by a trusted cert, use that. Add the trusted certificate to
      // the end of the chain unless it's already present. (That would happen if the first
      // certificate in the chain is itself a self-signed and trusted CA certificate.)
      val trustedCert = trustRootIndex.findByIssuerAndSignature(toVerify)
      if (trustedCert != null) {

    /**
     * Configure the certificate chain to use when being authenticated. The first certificate is
     * the held certificate, further certificates are included in the handshake so the peer can
     * build a trusted path to a trusted root certificate.
     *
     * The chain should include all intermediate certificates but does not need the root certificate
     * that we expect to be known by the remote peer. The peer already has that certificate so

-----------------------

The above example uses a self-signed certificate. This is convenient for testing but not
representative of real-world HTTPS deployment. To get closer to that we can use `HeldCertificate`
to generate a trusted root certificate, an intermediate certificate, and a server certificate.
We use `certificateAuthority(int)` to create certificates that can sign other certificates. The