want    x509.Certificate
		wantErr string
	}{
		{
			name:   "ca info",
			policy: PermissiveSigningPolicy{TTL: time.Hour, Now: nowFunc},
			want: x509.Certificate{
				Issuer:                caCert.Subject,
				AuthorityKeyId:        caCert.SubjectKeyId,
				NotBefore:             now,
				NotAfter:              now.Add(1 * time.Hour),
				BasicConstraintsValid: true,
			},
		},
		{
			name:   "key usage",

}

func TestJwtHTTPSServer(t *testing.T) {
	var (
		serverKey  = "../testdata/server.key"
		serverCert = "../testdata/server.crt"
	)

	caCert, err := os.ReadFile(serverCert)
	if err != nil {
		t.Fatal(err)
	}
	caCertPool := x509.NewCertPool()
	caCertPool.AppendCertsFromPEM(caCert)

	// creating https client with client certificate and certificate authority
	httpsClient := &http.Client{
		Transport: &http.Transport{

  // If non-empty, make the request with the corresponding cert and key.
  string cert = 10;
  string key = 11;
  // If non-empty, verify the server CA
  string caCert = 12;
  // If non-empty, make the request with the corresponding cert and key file.
  string certFile = 16;
  string keyFile = 17;
  // If non-empty, verify the server CA with the ca cert file.
  string caCertFile = 18;
  // Skip verifying peer's certificate.

package x509

// Possible certificate files; stop after finding one.
var certFiles = []string{
	"/etc/certs/ca-certificates.crt",     // Solaris 11.2+
	"/etc/ssl/certs/ca-certificates.crt", // Joyent SmartOS
	"/etc/ssl/cacert.pem",                // OmniOS
}

// Possible directories with certificate files; all will be read.
var certDirectories = []string{
	"/etc/certs/CA",

// select the loopback certificate via SNI if TLS is used.
const LoopbackClientServerNameOverride = "apiserver-loopback-client"

func (s *SecureServingInfo) NewClientConfig(caCert []byte) (*restclient.Config, error) {
	if s == nil || (s.Cert == nil && len(s.SNICerts) == 0) {
		return nil, nil
	}

	host, port, err := LoopbackHostPort(s.Listener.Addr().String())
	if err != nil {
		return nil, err
	}

				certsphase.KubeadmCertEtcdAPIClient(),
			} {
				if err := cert.CreateFromCA(newcfg, caCert, caKey); err != nil {
					t.Fatalf("couldn't create certificate %s: %v", cert.Name, err)
				}
			}

			actualErr := StaticPodControlPlane(
				nil,
				waiter,
				pathMgr,
				newcfg,
				true,
				true,
				fakeTLSEtcdClient{
					TLS: false,
				},
				fakePodManifestEtcdClient{

	}

	// The CA cert is required for updating kubeconfig files.
	// For local CA renewal, the local CA on disk could have changed, thus a reload is needed.
	// For CSR renewal we assume the same CA on disk is mounted for usage with KCM's
	// '--cluster-signing-cert-file' flag.
	certificatePath, _ := pkiutil.PathsForCertAndKey(rw.certificateDir, rw.baseName)
	caCerts, err := certutil.CertsFromFile(certificatePath)

func (tr *transport) initialize() error {
	var cert, key, ca string
	if tr.cert != nil {
		cert = *tr.cert
	}
	if tr.key != nil {
		key = *tr.key
	}
	if tr.ca != nil {
		ca = *tr.ca
	}

	if cert != "" && key != "" {
		tlsCert, err := tls.LoadX509KeyPair(cert, key)
		if err != nil {
			return fmt.Errorf("could not load certificate/key pair specified by -tls_cert and -tls_key: %v", err)
		}

limitations under the License.
*/

// This file was generated using openssl by the gencerts.sh script
// and holds raw certificates for the webhook tests.

package testcerts

// CACert is a test cert for dynamic admission controller.
var CACert = []byte(`-----BEGIN CERTIFICATE-----
MIIC9DCCAdygAwIBAgIJAIFe3lWPaalKMA0GCSqGSIb3DQEBCwUAMA4xDDAKBgNV
BAMMA19jYTAgFw0xNzEyMjIxODA0MjRaGA8yMjkxMTAwNzE4MDQyNFowDjEMMAoG

// and push skipping. This is because an secret potentially has a dependency on the same secret with or without
// the -cacert suffix. By including this dependency we ensure we do not miss any updates.
// This is important for cases where we have a compound secret. In this case, the `foo` secret may update,
// but we need to push both the `foo` and `foo-cacert` resource name, or they will fall out of sync.
func relatedConfigs(k model.ConfigKey) []model.ConfigKey {