[builder][held_certificate_builder] to create a self-signed certificate that a test server can use
for HTTPS:

```java
HeldCertificate localhostCertificate = new HeldCertificate.Builder()
    .addSubjectAlternativeName("localhost")
    .build();
```

[`HandshakeCertificates`][handshake_certificates] keeps the certificates for a TLS handshake.
Use its [builder][handshake_certificates_builder] to define which certificates the HTTPS server

To preview `next` content in merged form using a local instance of the website, run:

```
go run golang.org/x/website/cmd/golangorg@latest -goroot=..
```

Then open http://localhost:6060/doc/next. Refresh the page to see your latest edits.

## For the release team

The `relnote` tool, at `golang.org/x/build/cmd/relnote`, operates on the files
in `doc/next`.

    } catch (IOException e) {
      result.close();
      throw e;
    }
    return result;
  }

  @Override public Socket createSocket(
      String host, int port, InetAddress localHost, int localPort) throws IOException {
    return createSocket(host, port);
  }

  @Override public Socket createSocket(InetAddress host, int port) throws IOException {
    Socket result = createSocket();

    try {

        var ws = null;
            function connect(event) {
                var itemId = document.getElementById("itemId")
                var token = document.getElementById("token")
                ws = new WebSocket("ws://localhost:8000/items/" + itemId.value + "/ws?token=" + token.value);
                ws.onmessage = function(event) {
                    var messages = document.getElementById('messages')

        var ws = null;
            function connect(event) {
                var itemId = document.getElementById("itemId")
                var token = document.getElementById("token")
                ws = new WebSocket("ws://localhost:8000/items/" + itemId.value + "/ws?token=" + token.value);
                ws.onmessage = function(event) {
                    var messages = document.getElementById('messages')

import okhttp3.internal.DoubleInetAddressDns
import okhttp3.internal.connection.RealConnectionPool.Companion.get
import okhttp3.testing.Flaky
import okhttp3.testing.PlatformRule
import okhttp3.tls.internal.TlsUtil.localhost
import org.junit.jupiter.api.BeforeEach
import org.junit.jupiter.api.Tag
import org.junit.jupiter.api.Test
import org.junit.jupiter.api.Timeout
import org.junit.jupiter.api.extension.RegisterExtension

      HeldCertificate.Builder()
        .serialNumber(1L)
        .certificateAuthority(1)
        .commonName("root")
        .build()

    // Add a good intermediate CA, and have that issue a good certificate to localhost. Prepare an
    // SSL context for an HTTP client under attack. It includes the trusted CA and a pinned
    // certificate.
    val goodIntermediateCa =
      HeldCertificate.Builder()
        .signedBy(rootCa)

     * This is necessary for testing against localhost or in development environments where a
     * certificate authority is not possible.
     *
     * The server’s TLS certificate still must match the requested hostname. For example, if the
     * certificate is issued to `example.com` and the request is to `localhost`, the connection will
     * fail. Use a custom [HostnameVerifier] to ignore such problems.

     * <ul>
     * <li>{@code *} (since 2.0.5)= everything,</li>
     * <li>{@code external:*}  (since 2.0.9)= everything not on the localhost and not file based,</li>
     * <li>{@code external:http:*} (since 3.8.0)= any repository not on the localhost using HTTP,</li>
     * <li>{@code repo,repo1}  (since 2.0.9)= {@code repo} or {@code repo1},</li>

        var ws = null;
            function connect(event) {
                var itemId = document.getElementById("itemId")
                var token = document.getElementById("token")
                ws = new WebSocket("ws://localhost:8000/items/" + itemId.value + "/ws?token=" + token.value);
                ws.onmessage = function(event) {
                    var messages = document.getElementById('messages')