@Override public Response intercept(Chain chain) throws IOException {
      for (Certificate certificate : chain.connection().handshake().peerCertificates()) {
        String pin = CertificatePinner.pin(certificate);
        if (denylist.contains(pin)) {
          throw new IOException("Denylisted peer certificate: " + pin);
        }
      }
      return chain.proceed(chain.request());
    }
  };

				}
				return certificate, nil
			}

			reloadCertEvents := make(chan tls.Certificate, 1)
			certificate, err := certs.NewCertificate(env.Get(kms.EnvKESClientCert, ""), env.Get(kms.EnvKESClientKey, ""), loadX509KeyPair)
			if err != nil {
				logger.Fatal(err, "Failed to load KES client certificate")
			}
			certificate.Watch(context.Background(), 15*time.Minute, syscall.SIGHUP)
			certificate.Notify(reloadCertEvents)

    assertThat(listOf(clientCertificate.certificate, clientIntermediate.certificate))
      .isEqualTo(serverHandshake.peerCertificates)
    assertThat(listOf(serverCertificate.certificate, serverIntermediate.certificate))
      .isEqualTo(serverHandshake.localCertificates)
    val clientHandshake = clientHandshakeFuture.get()
    assertThat(listOf(serverCertificate.certificate, serverIntermediate.certificate))

    }
  }

  fun verify(
    host: String,
    certificate: X509Certificate,
  ): Boolean {
    return when {
      host.canParseAsIpAddress() -> verifyIpAddress(host, certificate)
      else -> verifyHostname(host, certificate)
    }
  }

  /** Returns true if [certificate] matches [ipAddress]. */
  private fun verifyIpAddress(
    ipAddress: String,
    certificate: X509Certificate,
  ): Boolean {

	}
	go func() {
		if config.Certificate == nil || config.ReloadCertEvents == nil {
			return
		}
		var prevCertificate tls.Certificate
		for {
			certificate, ok := <-config.ReloadCertEvents
			if !ok {
				return
			}
			sameCert := len(certificate.Certificate) == len(prevCertificate.Certificate)
			for i, b := range certificate.Certificate {
				if !sameCert {
					break
				}

## Version 4.2.0

_2019-09-10_

 *  New: API to decode a certificate and private key to create a `HeldCertificate`. This accepts a
    string containing both a certificate and PKCS #8-encoded private key.

    ```kotlin
    val heldCertificate = HeldCertificate.decode("""
        |-----BEGIN CERTIFICATE-----
        |MIIBYTCCAQegAwIBAgIBKjAKBggqhkjOPQQDAjApMRQwEgYDVQQLEwtlbmdpbmVl

	EnvKESClientKey        = "MINIO_KMS_KES_KEY_FILE"       // Path to TLS private key for authenticating to KES with mTLS - usually prefer API keys
	EnvKESClientPassword   = "MINIO_KMS_KES_KEY_PASSWORD"   // Optional password to decrypt an encrypt TLS private key

	}
	today := time.Now()
	expDate, err := time.Parse(time.RFC3339, cert.ExpirationTime)
	if err != nil {
		log.Errorf("certificate timestamp (%v) could not be parsed: %v", cert.ExpirationTime, err)
		return false
	}
	fromDate, err := time.Parse(time.RFC3339, cert.ValidFrom)
	if err != nil {
		log.Errorf("certificate timestamp (%v) could not be parsed: %v", cert.ValidFrom, err)
		return false
	}

                                      certificate authority certificates to use in
                                      verifying a presented server certificate.'
                                    type: string
                                  caCrl:
                                    description: 'OPTIONAL: The path to the file containing
                                      the certificate revocation list (CRL) to use

CERTIFICATE NAME                                         TYPE     STATUS           VALID CERT     SERIAL NUMBER                        NOT AFTER                NOT BEFORE
spiffe://cluster.local/ns/istio-system/sa/istiod         Leaf     Available        true           e5dfb59150b2ba7f108d93dcec5aa613     2033-03-22T13:04:57Z     2023-03-21T13:02:57Z