The domains are securely verified and the certificates are generated automatically. This also allows automating the renewal of these certificates.

      }
    }

  fun verify(
    host: String,
    certificate: X509Certificate,
  ): Boolean =
    when {
      host.canParseAsIpAddress() -> verifyIpAddress(host, certificate)
      else -> verifyHostname(host, certificate)
    }

  /** Returns true if [certificate] matches [ipAddress]. */
  private fun verifyIpAddress(
    ipAddress: String,
    certificate: X509Certificate,
  ): Boolean {

  }

  private fun certificate(certificate: String): X509Certificate =
    CertificateFactory
      .getInstance("X.509")
      .generateCertificate(ByteArrayInputStream(certificate.toByteArray()))
      as X509Certificate

  private fun session(certificate: String): SSLSession = FakeSSLSession(certificate(certificate))

        peerCertificates = listOf(serverCertificate.certificate, serverIntermediate.certificate),
        localCertificates = listOf(),
      )

    assertThat(handshake.tlsVersion).isEqualTo(TlsVersion.TLS_1_3)
    assertThat(handshake.cipherSuite).isEqualTo(CipherSuite.TLS_AES_128_GCM_SHA256)
    assertThat(handshake.peerCertificates).containsExactly(
      serverCertificate.certificate,
      serverIntermediate.certificate,
    )

 * `api.publicobject.com` are valid if either A's or B's certificate is in the chain.
 *
 * ## Warning: Certificate Pinning is Dangerous!
 *
 * Pinning certificates limits your server team's abilities to update their TLS certificates. By
 * pinning certificates, you take on additional operational complexity and limit your ability to
 * migrate between certificate authorities. Do not use certificate pinning without the blessing of

 * the License.
 */
package okhttp3

import java.security.Principal
import java.security.cert.Certificate
import javax.net.ssl.SSLPeerUnverifiedException
import javax.net.ssl.SSLSession
import javax.net.ssl.SSLSessionContext
import javax.security.cert.X509Certificate

class FakeSSLSession(
  vararg val certificates: Certificate,
) : SSLSession {
  override fun getApplicationBufferSize(): Int = throw UnsupportedOperationException()

	// configured expiry and the duration until the certificate itself
	// expires.
	// We must not issue credentials that out-live the certificate.
	if validUntil := time.Until(certificate.NotAfter); validUntil < expiry {
		expiry = validUntil
	}

	// Associate any service accounts to the certificate CN
	parentUser := "tls" + getKeySeparator() + certificate.Subject.CommonName

      + "0MC2Hb46TpSi125sC8KKfPog88Tk5c0NqMuRkrF8hey1FGlmDoLnzc7ILaZRfyHB\n"
      + "NVOFBkpdn627G190\n"
      + "-----END CERTIFICATE-----\n");

  final X509Certificate entrustRootCertificateAuthority = Certificates.decodeCertificatePem(""
      + "-----BEGIN CERTIFICATE-----\n"
      + "MIIEkTCCA3mgAwIBAgIERWtQVDANBgkqhkiG9w0BAQUFADCBsDELMAkGA1UEBhMC\n"

hmac-sha2-512
hmac-sha1
hmac-sha1-96
```

### Certificate-based authentication

`--sftp=trusted-user-ca-key=...` specifies a file containing public key of certificate authority that is trusted
to sign user certificates for authentication.

Implementation is identical with "TrustedUserCAKeys" setting in OpenSSH server with exception that only one CA
key can be defined.

    val certificate =
      HeldCertificate
        .Builder()
        .keyPair(publicKey, privateKey)
        .build()

    val certificateByteString = certificate.certificate.encoded.toByteString()

    val okHttpCertificate =
      CertificateAdapters.certificate
        .fromDer(certificateByteString)