@Override public Response intercept(Chain chain) throws IOException {
      for (Certificate certificate : chain.connection().handshake().peerCertificates()) {
        String pin = CertificatePinner.pin(certificate);
        if (denylist.contains(pin)) {
          throw new IOException("Denylisted peer certificate: " + pin);
        }
      }
      return chain.proceed(chain.request());
    }
  };

      val keyManager =
        newKeyManager(
          null,
          serverCert,
          serverIntermediateCa.certificate,
        )
      val trustManager =
        newTrustManager(
          null,
          Arrays.asList(serverRootCa.certificate, clientRootCa.certificate),
          emptyList(),
        )
      val sslContext = SSLContext.getInstance("TLS")
      sslContext.init(

    builder = builder.heldCertificate(heldCertificate, heldCertificate.certificate())
    builder = builder.addTrustedCertificate(heldCertificate.certificate())
  }

  @Test @Disabled
  fun heldCertificate() {
    val heldCertificate: HeldCertificate = HeldCertificate.Builder().build()
    val certificate: X509Certificate = heldCertificate.certificate()
    val keyPair: KeyPair = heldCertificate.keyPair()
  }

			Sensitive:   true,
			Secret:      true,
		},
		config.HelpKV{
			Key:         ClientCert,
			Description: "mTLS certificate for webhook authentication",
			Optional:    true,
			Type:        "string",
			Sensitive:   true,
		},
		config.HelpKV{
			Key:         ClientKey,
			Description: "mTLS certificate key for webhook authentication",
			Optional:    true,
			Type:        "string",
			Sensitive:   true,
		},

import okhttp3.Request
import okhttp3.tls.HandshakeCertificates
import okhttp3.tls.decodeCertificatePem
import org.junit.jupiter.api.Tag
import org.junit.jupiter.api.Test

/**
 * Test for new Let's Encrypt Root Certificate.
 */
@Tag("Remote")
class LetsEncryptClientTest {
  @Test fun get() {
    // These tests wont actually run before Android 8.0 as per
    // https://github.com/mannodermaus/android-junit5

    NVOFBkpdn627G190
    -----END CERTIFICATE-----
    """.trimIndent().decodeCertificatePem()

  // CN=Entrust Root Certification Authority, OU="(c) 2006 Entrust, Inc.", OU=www.entrust.net/CPS is incorporated by reference, O="Entrust, Inc.", C=US
  val entrustRootCertificateAuthority =
    """
    -----BEGIN CERTIFICATE-----
    MIIEkTCCA3mgAwIBAgIERWtQVDANBgkqhkiG9w0BAQUFADCBsDELMAkGA1UEBhMC

    val certificate: X509Certificate = heldCertificate.certificate
    val certificatePinner: CertificatePinner = CertificatePinner.Builder().build()
    val certificates: List<Certificate> = listOf()
    certificatePinner.check("", listOf(certificate))
    certificatePinner.check("", arrayOf<Certificate>(certificate, certificate).toList())
    val pin: String = CertificatePinner.pin(certificate)

	// EnvIdentityTLSSkipVerify is an environment variable that controls whether
	// MinIO verifies the client certificate present by the client
	// when requesting temp. credentials.
	// By default, MinIO always verify the client certificate.
	//
	// The client certificate verification should only be skipped
	// when debugging or testing a setup since it allows arbitrary

) : CertificateChainCleaner() {
  @Suppress("UNCHECKED_CAST")
  @Throws(SSLPeerUnverifiedException::class)
  @SuppressSignatureCheck
  override fun clean(
    chain: List<Certificate>,
    hostname: String,
  ): List<Certificate> {
    val certificates = (chain as List<X509Certificate>).toTypedArray()
    try {
      return x509TrustManagerExtensions.checkServerTrusted(certificates, "RSA", hostname)

  }

  override fun getValueNames(): Array<String> = delegate!!.valueNames

  @Throws(SSLPeerUnverifiedException::class)
  override fun getPeerCertificates(): Array<Certificate>? = delegate!!.peerCertificates

  override fun getLocalCertificates(): Array<Certificate>? = delegate!!.localCertificates

  @Suppress("removal", "OVERRIDE_DEPRECATION")
  @Throws(SSLPeerUnverifiedException::class)