Auf diese Weise könnte der TLS-Terminierungsproxy HTTPS und Zertifikate für **mehrere Domains**, für mehrere Anwendungen, verarbeiten und die Requests dann jeweils an die richtige Anwendung weiterleiten.

### Verlängerung des Zertifikats { #certificate-renewal }

Irgendwann in der Zukunft würde jedes Zertifikat **ablaufen** (etwa 3 Monate nach dem Erwerb).

    assertThat(listOf(clientCertificate.certificate, clientIntermediate.certificate))
      .isEqualTo(serverHandshake.peerCertificates)
    assertThat(listOf(serverCertificate.certificate, serverIntermediate.certificate))
      .isEqualTo(serverHandshake.localCertificates)
    val clientHandshake = clientHandshakeFuture.get()
    assertThat(listOf(serverCertificate.certificate, serverIntermediate.certificate))

    builder = builder.heldCertificate(heldCertificate, heldCertificate.certificate())
    builder = builder.addTrustedCertificate(heldCertificate.certificate())
  }

  @Test @Disabled
  fun heldCertificate() {
    val heldCertificate: HeldCertificate = HeldCertificate.Builder().build()
    val certificate: X509Certificate = heldCertificate.certificate()
    val keyPair: KeyPair = heldCertificate.keyPair()
  }

  ): X509KeyManager {
    val keyStore = newEmptyKeyStore(keyStoreType)
    if (heldCertificate != null) {
      val chain = arrayOfNulls<Certificate>(1 + intermediates.size)
      chain[0] = heldCertificate.certificate
      intermediates.copyInto(chain, 1)
      keyStore.setKeyEntry("private", heldCertificate.keyPair.private, password, chain)
    }

    // https://github.com/bcgit/bc-java/issues/1160

      val keyManager =
        newKeyManager(
          null,
          serverCert,
          serverIntermediateCa.certificate,
        )
      val trustManager =
        newTrustManager(
          null,
          Arrays.asList(serverRootCa.certificate, clientRootCa.certificate),
          emptyList(),
        )
      val sslContext = SSLContext.getInstance("TLS")
      sslContext.init(

        )
      },
    )

  /**
   * ```
   * Certificate ::= SEQUENCE  {
   *   tbsCertificate       TBSCertificate,
   *   signatureAlgorithm   AlgorithmIdentifier,
   *   signatureValue       BIT STRING
   * }
   * ```
   */
  internal val certificate: BasicDerAdapter<Certificate> =
    Adapters.sequence(
      "Certificate",
      tbsCertificate,
      algorithmIdentifier,

import java.util.Map;

import javax.security.auth.kerberos.KerberosKey;

import jcifs.pac.PACDecodingException;
import jcifs.pac.Pac;

/**
 * Kerberos authorization data containing PAC (Privilege Attribute Certificate) information.
 */
public class KerberosPacAuthData extends KerberosAuthData {

    private Pac pac;

    /**
     * Constructs KerberosPacAuthData from token bytes.
     *

import okhttp3.OkHttpClient;
import okhttp3.Protocol;
import okhttp3.Request;
import okhttp3.Response;
import org.junit.Test;
import org.junit.runner.RunWith;

import java.io.IOException;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;

import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertTrue;

/**
 * Simple test adaptable to show a failure in older versions of OkHttp

OkHttp 2.x Change Log
=====================

## Version 2.7.5

_2016-02-25_

 *  Fix: Change the certificate pinner to always build full chains. This
    prevents a potential crash when using certificate pinning with the Google
    Play Services security provider.


## Version 2.7.4

_2016-02-07_

 *  Fix: Don't crash when finding the trust manager if the Play Services (GMS)
    security provider is installed.

Prior to 1.17 and for existing nodes created by `kubeadm init` where kubelet client certificate rotation is desired, you must modify `/etc/kubernetes/kubelet.conf` to point to the PEM symlink for rotation: