Maintenant, du point de vue d'un développeur, voici plusieurs choses à avoir en tête en pensant au HTTPS :

* Pour le HTTPS, le serveur a besoin de "certificats" générés par une tierce partie.
    * Ces certificats sont en fait acquis auprès de la tierce partie, et non "générés".
* Les certificats ont une durée de vie.
    * Ils expirent.
    * Puis ils doivent être renouvelés et acquis à nouveau auprès de la tierce partie.

  @Suppress("UNCHECKED_CAST")
  @Throws(SSLPeerUnverifiedException::class)
  override fun getPeerCertificates(): Array<Certificate> =
    if (certificates.isEmpty()) {
      throw SSLPeerUnverifiedException("peer not authenticated")
    } else {
      certificates as Array<Certificate>
    }

  @Throws(
    SSLPeerUnverifiedException::class,
  )

nians-using-fake-google-certificate.html). It also assumes your HTTPS servers’ certificates are signed by a certificate authority.

Use [CertificatePinner](https://square.github.io/okhttp/4.x/okhttp/okhttp3/-certificate-pinner/) to restrict which certificates and certificate authorities are trusted. Certificate pinning increases security, but limits your server team’s abilities to update their TLS certificates. **Do not use certificate pinning without the blessing of your server’s TLS administrator!**...

 * Cleaning a chain returns a list of certificates where the first element is `chain[0]`, each
 * certificate is signed by the certificate that follows, and the last certificate is a trusted CA
 * certificate.
 *
 * Use of the chain cleaner is necessary to omit unexpected certificates that aren't relevant to

      + "jaA9VEhgdaVhxBsT2qzUNDsXlOzGsliznDfoqETb\n"
      + "-----END CERTIFICATE-----\n";

    X509Certificate certificate =
        Certificates.decodeCertificatePem(certificateString);

    assertEquals(certificateString, Certificates.certificatePem(certificate));
  }

certSecret: "" publicCrt: public.crt privateKey: private.key ## Trusted Certificates Settings for MinIO. Ref: https://docs.minio.io/docs/how-to-secure-access-to-minio-server-with-tls#install-certificates-from-third-party-cas ## Bundle multiple trusted certificates into one secret and pass that here. Ref: https://github.com/minio/minio/tree/master/docs/tls/kubernetes#2-create-kubernetes-secret ## When using self-signed certificates, remember to include MinIO's own certificate in the bundle with key public.crt....

   *     -> pinnedIntermediate (trusted by CertificatePinner)
   *         -> attackerSwitch
   * ```
   *
   * The attacker serves a set of certificates that yields a too-long chain in our certificate
   * pinner. The served certificates (incorrectly) formed a single chain to the pinner:
   *
   * ```
   *   attackerCa
   *     -> attackerIntermediate

    val certificates =
      HandshakeCertificates
        .Builder()
        .addTrustedCertificate(letsEncryptCertificateAuthority)
        .addTrustedCertificate(entrustRootCertificateAuthority)
        .addTrustedCertificate(comodoRsaCertificationAuthority)
        // Uncomment if standard certificates are also required.
        // .addPlatformTrustedCertificates()

  @SuppressSignatureCheck
  override fun clean(
    chain: List<Certificate>,
    hostname: String,
  ): List<Certificate> {
    val certificates = (chain as List<X509Certificate>).toTypedArray()
    try {
      return x509TrustManagerExtensions.checkServerTrusted(certificates, "RSA", hostname)
    } catch (ce: CertificateException) {
      throw SSLPeerUnverifiedException(ce.message).apply { initCause(ce) }
    }
  }

FROM golang:1.24-alpine as build

ARG TARGETARCH
ARG RELEASE

ENV GOPATH=/go
ENV CGO_ENABLED=0

# Install curl and minisign
RUN apk add -U --no-cache ca-certificates && \
    apk add -U --no-cache curl && \
    go install aead.dev/minisign/cmd/minisign@v0.2.1

# Download minio binary and signature files
RUN curl -s -q https://dl.min.io/server/minio/hotfixes/linux-${TARGETARCH}/archive/minio.${RELEASE} -o /go/bin/minio && \