.certificateAuthority(0)
        .commonName("compromised intermediate")
        .signedBy(pinnedRoot)
        .build()
    val attackerIntermediate =
      HeldCertificate.Builder()
        .keyPair(attackerCa.keyPair) // Share keys between compromised CA and intermediate!
        .serialNumber(4L)
        .certificateAuthority(0) // More intermediates than permitted by signer!
        .commonName("attacker intermediate")

      this.intermediates = arrayOf(*intermediates) // Defensive copy.
    }

    /**
     * Add a trusted root certificate to use when authenticating a peer. Peers must provide
     * a chain of certificates whose root is one of these.
     */
    fun addTrustedCertificate(certificate: X509Certificate) =
      apply {
        this.trustedCertificates += certificate
      }

    /**

 *
 * In this example the HTTP client already knows and trusts the last certificate, "Entrust Root
 * Certification Authority - G2". That certificate is used to verify the signature of the
 * intermediate certificate, "Entrust Certification Authority - L1M". The intermediate certificate
 * is used to verify the signature of the "www.squareup.com" certificate.
 *
 * This roles are reversed for client authentication. In that case the client has a private key and

  ): Boolean {
    if (toVerify.issuerDN != signingCert.subjectDN) {
      return false
    }
    if (signingCert.basicConstraints < minIntermediates) {
      return false // The signer can't have this many intermediates beneath it.
    }
    return try {
      toVerify.verify(signingCert.publicKey)
      true
    } catch (verifyFailed: GeneralSecurityException) {
      false
    }
  }

representative of real-world HTTPS deployment. To get closer to that we can use `HeldCertificate`
to generate a trusted root certificate, an intermediate certificate, and a server certificate.
We use `certificateAuthority(int)` to create certificates that can sign other certificates. The
int specifies how many intermediate certificates are allowed beneath it in the chain.

```java
HeldCertificate rootCertificate = new HeldCertificate.Builder()

    assertThrows(IllegalArgumentException.class, () -> intermediate.indexes(1, -1, 3));
  }

  public void testScale_indexes_varargs_tooHigh() {
    Quantiles.Scale intermediate = Quantiles.scale(10);
    assertThrows(IllegalArgumentException.class, () -> intermediate.indexes(1, 11, 3));
  }

  public void testScale_indexes_collection_negative() {

    keyStoreType: String?,
    heldCertificate: HeldCertificate?,
    vararg intermediates: X509Certificate,
  ): X509KeyManager {
    val keyStore = newEmptyKeyStore(keyStoreType)
    if (heldCertificate != null) {
      val chain = arrayOfNulls<Certificate>(1 + intermediates.size)
      chain[0] = heldCertificate.certificate
      intermediates.copyInto(chain, 1)

        return this.resolveHashes;
    }


    /**
     * 
     */
    public void intermediate () {
        this.intermediate = true;
    }


    /**
     * @return the intermediate
     */
    @Override
    public boolean isIntermediate () {
        return this.intermediate;
    }


    @Override
    public String toString () {

    val root =
      HeldCertificate.Builder()
        .certificateAuthority(1)
        .build()
    val intermediate =
      HeldCertificate.Builder()
        .certificateAuthority(0)
        .signedBy(root)
        .build()
    val certificate =
      HeldCertificate.Builder()
        .signedBy(intermediate)
        .build()
    val handshakeCertificates =
      HandshakeCertificates.Builder()

      .isEqualTo(
        list(certificate, intermediateCa, trusted),
      )
    assertThat(cleaner.clean(list(certificate, intermediateCa, trusted), "hostname"))
      .isEqualTo(
        list(certificate, intermediateCa, trusted),
      )
  }

  @Test
  fun chainMaxLength() {
    val heldCertificates = chainOfLength(10)