CSR, certificates are written to disk and mTLS is used for future requests. If the VM restarted, it would continue
to use the certificates written to disk, assuming the downtime is less than certificate expiration. This is why
the certificates are persisted to disk, rather than kept in memory like in the standard Kubernetes deployment.

## Certificate Rotation

        .addTrustedCertificate(comodoRsaCertificationAuthority)
        // Uncomment if standard certificates are also required.
        //.addPlatformTrustedCertificates()
        .build();

    client = new OkHttpClient.Builder()
            .sslSocketFactory(certificates.sslSocketFactory(), certificates.trustManager())
            .build();
  }

  public void run() throws Exception {

1. [Install MinIO Server](#install-minio-server)
2. [Use an Existing Key and Certificate with MinIO](#use-an-existing-key-and-certificate-with-minio)
3. [Generate and use Self-signed Keys and Certificates with MinIO](#generate-use-self-signed-keys-certificates)
4. [Install Certificates from Third-party CAs](#install-certificates-from-third-party-cas)

  }

  @Suppress("UNCHECKED_CAST")
  @Throws(SSLPeerUnverifiedException::class)
  override fun getPeerCertificates(): Array<Certificate> {
    return if (certificates.isEmpty()) {
      throw SSLPeerUnverifiedException("peer not authenticated")
    } else {
      certificates as Array<Certificate>
    }
  }

  @Throws(
    SSLPeerUnverifiedException::class,
  )

    assertThat(cleaner.clean(certificates, "hostname")).isEqualTo(certificates)
    assertThat(cleaner.clean(certificates.subList(0, 9), "hostname")).isEqualTo(
      certificates,
    )
  }

  @Test
  fun chainTooLong() {
    val heldCertificates = chainOfLength(11)
    val certificates: MutableList<Certificate> = ArrayList()
    for (heldCertificate in heldCertificates) {
      certificates.add(heldCertificate.certificate)

on-300-000-iranians-using-fake-google-certificate.html). It also assumes your HTTPS servers’ certificates are signed by a certificate authority.

Use [CertificatePinner](https://square.github.io/okhttp/4.x/okhttp/okhttp3/-certificate-pinner/) to restrict which certificates and certificate authorities are trusted. Certificate pinning increases security, but limits your server team’s abilities to update their TLS certificates. **Do not use certificate pinning without the blessing of your server’s...

  //  5. Expiration/certificate lifetime: whether it is fixed by the signer, configurable by the admin.
  //  6. Whether or not requests for CA certificates are allowed.
  optional string signerName = 7;

  // expirationSeconds is the requested duration of validity of the issued
  // certificate. The certificate signer may issue a certificate with a different

```

### Installing certificates from third party CAs

        .addTrustedCertificate(comodoRsaCertificationAuthority)
        // Uncomment if standard certificates are also required.
        // .addPlatformTrustedCertificates()
        .build()
    client =
      OkHttpClient.Builder()
        .sslSocketFactory(certificates.sslSocketFactory(), certificates.trustManager)
        .build()
  }

  fun run() {
    showUrl("https://squareup.com/robots.txt")

    ```

    Get these strings with `HeldCertificate.certificatePem()` and `privateKeyPkcs8Pem()`.

 *  Fix: Handshake now returns peer certificates in canonical order: each certificate is signed by
    the certificate that follows and the last certificate is signed by a trusted root.

 *  Fix: Don't lose HTTP/2 flow control bytes when incoming data races with a stream close. If this