public final class CustomTrust {
  // PEM files for root certificates of Comodo and Entrust. These two CAs are sufficient to view
  // https://publicobject.com (Comodo) and https://squareup.com (Entrust). But they aren't
  // sufficient to connect to most HTTPS sites including https://godaddy.com and https://visa.com.
  // Typically developers will need to get a PEM file from their organization's TLS administrator.

	data = bytes.TrimSpace(data)

	// Parse all certs in the chain.
	current := data
	for len(current) > 0 {
		var pemBlock *pem.Block
		if pemBlock, current = pem.Decode(current); pemBlock == nil {
			return nil, ErrTLSUnexpectedData(nil).Msgf("Could not read PEM block from file %s", certFile)
		}

		var x509Cert *x509.Certificate
		if x509Cert, err = x509.ParseCertificate(pemBlock.Bytes); err != nil {

  )
  fun keyPair(): KeyPair = keyPair

  /**
   * Returns the certificate encoded in [PEM format][rfc_7468].
   *
   * [rfc_7468]: https://tools.ietf.org/html/rfc7468
   */
  fun certificatePem(): String = certificate.certificatePem()

  /**
   * Returns the private key encoded in [PKCS #8][rfc_5208] [PEM format][rfc_7468].
   *
   * [rfc_5208]: https://tools.ietf.org/html/rfc5208

    .build();
OkHttpClient client = new OkHttpClient.Builder()
    .sslSocketFactory(clientCertificates.sslSocketFactory(), clientCertificates.trustManager())
    .build();
```

PEM files
---------

You can encode a `HeldCertificate` in PEM format:

```java
HeldCertificate heldCertificate = ...
System.out.println(heldCertificate.certificatePem())
```

```
-----BEGIN CERTIFICATE-----

          }

          println(response.body!!.string())
        }
      }

      /**
       * Returns an input stream containing one or more certificate PEM files. This implementation just
       * embeds the PEM files in Java strings; most applications will instead read this from a resource
       * file that gets bundled with the application.
       */

					if err != nil {
						return tls.Certificate{}, fmt.Errorf("Unable to decrypt KES client private key as specified by the shell environment: %v", err)
					}
					keyBytes = pem.EncodeToMemory(&pem.Block{Type: privateKeyPEM.Type, Bytes: keyBytes})
				}
				certificate, err := tls.X509KeyPair(certBytes, keyBytes)
				if err != nil {

* 3.3 [Use OpenSSL (with IP address) to Generate a Certificate](#using-open-ssl-with-ip)
* 3.4 [Use GnuTLS (for Windows) to Generate a Certificate](#using-gnu-tls)

**Note:**

* MinIO only supports keys and certificates in PEM format on Linux and Windows.
* MinIO doesn't currently support PFX certificates.

### 3.1 Use `certgen` to Generate a Certificate

	if err != nil {
		return nil, nil, fmt.Errorf("Failed to create certificate: %w", err)
	}

	certOut := bytes.NewBuffer([]byte{})
	pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes})

	keyOut := bytes.NewBuffer([]byte{})
	pem.Encode(keyOut, pemBlockForKey(priv))

	return certOut.Bytes(), keyOut.Bytes(), nil
}

		},
		Subject:       "test",
		Secure:        true,
		CertAuthority: path.Join("testdata", "contrib", "certs", "root_ca_cert.pem"),
		ClientCert:    path.Join("testdata", "contrib", "certs", "nats_client_cert.pem"),
		ClientKey:     path.Join("testdata", "contrib", "certs", "nats_client_key.pem"),
	}

	con, err := clientConfig.connectNats()
	if err != nil {
		t.Errorf("Could not connect to nats: %v", err)
	}

port: 14226
net: localhost

tls {
    cert_file:  "./testdata/contrib/certs/nats_server_cert.pem"
    key_file:   "./testdata/contrib/certs/nats_server_key.pem"
    ca_file:   "./testdata/contrib/certs/root_ca_cert.pem"
    verify_and_map: true
}
authorization {
    ADMIN = {
        publish = ">"
        subscribe = ">"
    }
    users = [
        {user: "CN=localhost,OU=Client,O=MinIO,C=CA", permissions: $ADMIN}
    ]