@Size(max = 1000)
    public String entraidClientSecret;

    /** Entra ID tenant ID. */
    @Size(max = 1000)
    public String entraidTenant;

    /** Entra ID authority URL. */
    @Size(max = 1000)
    public String entraidAuthority;

    /** Entra ID OAuth2 reply URL. */
    @Size(max = 1000)
    public String entraidReplyUrl;

   * signed by the compromised CA's certificate and uses it in a non-CA certificate. They ask the
   * pinned CA above to sign it for non-certificate-authority uses:
   *
   * ```
   *   pinnedRoot (trusted by CertificatePinner)
   *     -> pinnedIntermediate (trusted by CertificatePinner)
   *         -> attackerSwitch
   * ```
   *

<img src="/img/deployment/https/https.drawio.svg">

The **TLS certificates** are **associated with a domain name**, not with an IP address.

So, to renew the certificates, the renewal program needs to **prove** to the authority (Let's Encrypt) that it indeed **"owns" and controls that domain**.

To do that, and to accommodate different application needs, there are several ways it can do it. Some popular ways are:

* **Modify some DNS records**.

        // Share when share set but no path
        assertEquals(SmbConstants.TYPE_SHARE, locator("smb://server/share/").getType());

        // Workgroup when no authority
        assertEquals(SmbConstants.TYPE_WORKGROUP, locator("smb:///").getType());

        // Server vs Workgroup depends on NetBIOS name type
        Address addr = mock(Address.class);

              insertIntoDynamicTable(header)
            }

            name.startsWith(Header.PSEUDO_PREFIX) && TARGET_AUTHORITY != name -> {
              // Follow Chromes lead - only include the :authority pseudo header, but exclude all other
              // pseudo headers. Literal Header Field without Indexing - Indexed Name.
              writeInt(headerNameIndex, PREFIX_4_BITS, 0)
              writeByteString(value)

     * @param streamId client-initiated stream ID.  Must be an odd number.
     * @param promisedStreamId server-initiated stream ID.  Must be an even number.
     * @param requestHeaders minimally includes `:method`, `:scheme`, `:authority`, and `:path`.
     */
    @Throws(IOException::class)
    fun pushPromise(
      streamId: Int,
      promisedStreamId: Int,
      requestHeaders: List<Header>,
    )

    /**

                 * for the addresses hostname or failed lookups for one type will
                 * be cached and cause other types to fail even though they may
                 * not be the authority for the name. For example, if a WINS lookup
                 * for FOO fails and caches unknownAddress for FOO, a subsequent
                 * lookup for FOO using BCAST should not fail because of that

labels.spnego_exclude_dirs=Exclude Directories
labels.general_menu_entraid=Entra ID
labels.entraid_client_id=Client ID
labels.entraid_client_secret=Client Secret
labels.entraid_tenant=Tenant
labels.entraid_authority=Authority
labels.entraid_reply_url=Reply URL
labels.entraid_state_ttl=State TTL
labels.entraid_default_groups=Default Groups
labels.entraid_default_roles=Default Roles
labels.entraid_permission_fields=Permission Fields

            fessConfig.setSystemProperty("entraid.client.secret", form.entraidClientSecret);
        }
        fessConfig.setSystemProperty("entraid.tenant", form.entraidTenant);
        fessConfig.setSystemProperty("entraid.authority", form.entraidAuthority);
        fessConfig.setSystemProperty("entraid.reply.url", form.entraidReplyUrl);
        fessConfig.setSystemProperty("entraid.state.ttl", form.entraidStateTtl);

- K8s.io/client-go/transport now automatically reloads certificate authority roots from disk when they are supplied via a file path.  This functionality is enabled by default and can be disabled via the ClientsAllowCARotation feature gate. ([#132922](https://github.com/kubernetes/kubernetes/pull/132922), [@yt2985](https:...