CertificateValidationContext.Builder (api 0.1.28 API)

java.lang.Object
- com.google.protobuf.AbstractMessageLite.Builder
- - com.google.protobuf.AbstractMessage.Builder<BuilderType>
  - - com.google.protobuf.GeneratedMessageV3.Builder<CertificateValidationContext.Builder>
    - - io.envoyproxy.envoy.extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.Builder

All Implemented Interfaces:

com.google.protobuf.Message.Builder, com.google.protobuf.MessageLite.Builder, com.google.protobuf.MessageLiteOrBuilder, com.google.protobuf.MessageOrBuilder, CertificateValidationContextOrBuilder, Cloneable

Enclosing class:

CertificateValidationContext
```
public static final class CertificateValidationContext.Builder
extends com.google.protobuf.GeneratedMessageV3.Builder<CertificateValidationContext.Builder>
implements CertificateValidationContextOrBuilder
```
```
 [#next-free-field: 12]
 
```
Protobuf type envoy.extensions.transport_sockets.tls.v4alpha.CertificateValidationContext

Method Summary

All Methods Static Methods Instance Methods Concrete Methods
Modifier and Type	Method and Description
`CertificateValidationContext.Builder`	`addAllMatchSubjectAltNames(Iterable<? extends StringMatcher> values)` An optional list of Subject Alternative name matchers.
`CertificateValidationContext.Builder`	`addAllVerifyCertificateHash(Iterable<String> values)` An optional list of hex-encoded SHA-256 hashes.
`CertificateValidationContext.Builder`	`addAllVerifyCertificateSpki(Iterable<String> values)` An optional list of base64-encoded SHA-256 hashes.
`CertificateValidationContext.Builder`	`addMatchSubjectAltNames(int index, StringMatcher.Builder builderForValue)` An optional list of Subject Alternative name matchers.
`CertificateValidationContext.Builder`	`addMatchSubjectAltNames(int index, StringMatcher value)` An optional list of Subject Alternative name matchers.
`CertificateValidationContext.Builder`	`addMatchSubjectAltNames(StringMatcher.Builder builderForValue)` An optional list of Subject Alternative name matchers.
`CertificateValidationContext.Builder`	`addMatchSubjectAltNames(StringMatcher value)` An optional list of Subject Alternative name matchers.
`StringMatcher.Builder`	`addMatchSubjectAltNamesBuilder()` An optional list of Subject Alternative name matchers.
`StringMatcher.Builder`	`addMatchSubjectAltNamesBuilder(int index)` An optional list of Subject Alternative name matchers.
`CertificateValidationContext.Builder`	`addRepeatedField(com.google.protobuf.Descriptors.FieldDescriptor field, Object value)`
`CertificateValidationContext.Builder`	`addVerifyCertificateHash(String value)` An optional list of hex-encoded SHA-256 hashes.
`CertificateValidationContext.Builder`	`addVerifyCertificateHashBytes(com.google.protobuf.ByteString value)` An optional list of hex-encoded SHA-256 hashes.
`CertificateValidationContext.Builder`	`addVerifyCertificateSpki(String value)` An optional list of base64-encoded SHA-256 hashes.
`CertificateValidationContext.Builder`	`addVerifyCertificateSpkiBytes(com.google.protobuf.ByteString value)` An optional list of base64-encoded SHA-256 hashes.
`CertificateValidationContext`	`build()`
`CertificateValidationContext`	`buildPartial()`
`CertificateValidationContext.Builder`	`clear()`
`CertificateValidationContext.Builder`	`clearAllowExpiredCertificate()` If specified, Envoy will not reject expired certificates.
`CertificateValidationContext.Builder`	`clearCrl()` An optional `certificate revocation list <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format).
`CertificateValidationContext.Builder`	`clearField(com.google.protobuf.Descriptors.FieldDescriptor field)`
`CertificateValidationContext.Builder`	`clearMatchSubjectAltNames()` An optional list of Subject Alternative name matchers.
`CertificateValidationContext.Builder`	`clearOneof(com.google.protobuf.Descriptors.OneofDescriptor oneof)`
`CertificateValidationContext.Builder`	`clearRequireSignedCertificateTimestamp()` [#not-implemented-hide:] Must present signed certificate time-stamp.
`CertificateValidationContext.Builder`	`clearTrustChainVerification()` Certificate trust chain verification mode.
`CertificateValidationContext.Builder`	`clearTrustedCa()` TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g. server certificate for clusters or client certificate for listeners).
`CertificateValidationContext.Builder`	`clearVerifyCertificateHash()` An optional list of hex-encoded SHA-256 hashes.
`CertificateValidationContext.Builder`	`clearVerifyCertificateSpki()` An optional list of base64-encoded SHA-256 hashes.
`CertificateValidationContext.Builder`	`clearWatchedDirectory()` If specified, updates of a file-based trusted_ca source will be triggered by this watch.
`CertificateValidationContext.Builder`	`clone()`
`boolean`	`getAllowExpiredCertificate()` If specified, Envoy will not reject expired certificates.
`DataSource`	`getCrl()` An optional `certificate revocation list <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format).
`DataSource.Builder`	`getCrlBuilder()` An optional `certificate revocation list <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format).
`DataSourceOrBuilder`	`getCrlOrBuilder()` An optional `certificate revocation list <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format).
`CertificateValidationContext`	`getDefaultInstanceForType()`
`static com.google.protobuf.Descriptors.Descriptor`	`getDescriptor()`
`com.google.protobuf.Descriptors.Descriptor`	`getDescriptorForType()`
`StringMatcher`	`getMatchSubjectAltNames(int index)` An optional list of Subject Alternative name matchers.
`StringMatcher.Builder`	`getMatchSubjectAltNamesBuilder(int index)` An optional list of Subject Alternative name matchers.
`List<StringMatcher.Builder>`	`getMatchSubjectAltNamesBuilderList()` An optional list of Subject Alternative name matchers.
`int`	`getMatchSubjectAltNamesCount()` An optional list of Subject Alternative name matchers.
`List<StringMatcher>`	`getMatchSubjectAltNamesList()` An optional list of Subject Alternative name matchers.
`StringMatcherOrBuilder`	`getMatchSubjectAltNamesOrBuilder(int index)` An optional list of Subject Alternative name matchers.
`List<? extends StringMatcherOrBuilder>`	`getMatchSubjectAltNamesOrBuilderList()` An optional list of Subject Alternative name matchers.
`com.google.protobuf.BoolValue`	`getRequireSignedCertificateTimestamp()` [#not-implemented-hide:] Must present signed certificate time-stamp.
`com.google.protobuf.BoolValue.Builder`	`getRequireSignedCertificateTimestampBuilder()` [#not-implemented-hide:] Must present signed certificate time-stamp.
`com.google.protobuf.BoolValueOrBuilder`	`getRequireSignedCertificateTimestampOrBuilder()` [#not-implemented-hide:] Must present signed certificate time-stamp.
`CertificateValidationContext.TrustChainVerification`	`getTrustChainVerification()` Certificate trust chain verification mode.
`int`	`getTrustChainVerificationValue()` Certificate trust chain verification mode.
`DataSource`	`getTrustedCa()` TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g. server certificate for clusters or client certificate for listeners).
`DataSource.Builder`	`getTrustedCaBuilder()` TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g. server certificate for clusters or client certificate for listeners).
`DataSourceOrBuilder`	`getTrustedCaOrBuilder()` TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g. server certificate for clusters or client certificate for listeners).
`String`	`getVerifyCertificateHash(int index)` An optional list of hex-encoded SHA-256 hashes.
`com.google.protobuf.ByteString`	`getVerifyCertificateHashBytes(int index)` An optional list of hex-encoded SHA-256 hashes.
`int`	`getVerifyCertificateHashCount()` An optional list of hex-encoded SHA-256 hashes.
`com.google.protobuf.ProtocolStringList`	`getVerifyCertificateHashList()` An optional list of hex-encoded SHA-256 hashes.
`String`	`getVerifyCertificateSpki(int index)` An optional list of base64-encoded SHA-256 hashes.
`com.google.protobuf.ByteString`	`getVerifyCertificateSpkiBytes(int index)` An optional list of base64-encoded SHA-256 hashes.
`int`	`getVerifyCertificateSpkiCount()` An optional list of base64-encoded SHA-256 hashes.
`com.google.protobuf.ProtocolStringList`	`getVerifyCertificateSpkiList()` An optional list of base64-encoded SHA-256 hashes.
`WatchedDirectory`	`getWatchedDirectory()` If specified, updates of a file-based trusted_ca source will be triggered by this watch.
`WatchedDirectory.Builder`	`getWatchedDirectoryBuilder()` If specified, updates of a file-based trusted_ca source will be triggered by this watch.
`WatchedDirectoryOrBuilder`	`getWatchedDirectoryOrBuilder()` If specified, updates of a file-based trusted_ca source will be triggered by this watch.
`boolean`	`hasCrl()` An optional `certificate revocation list <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format).
`boolean`	`hasRequireSignedCertificateTimestamp()` [#not-implemented-hide:] Must present signed certificate time-stamp.
`boolean`	`hasTrustedCa()` TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g. server certificate for clusters or client certificate for listeners).
`boolean`	`hasWatchedDirectory()` If specified, updates of a file-based trusted_ca source will be triggered by this watch.
`protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable`	`internalGetFieldAccessorTable()`
`boolean`	`isInitialized()`
`CertificateValidationContext.Builder`	`mergeCrl(DataSource value)` An optional `certificate revocation list <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format).
`CertificateValidationContext.Builder`	`mergeFrom(CertificateValidationContext other)`
`CertificateValidationContext.Builder`	`mergeFrom(com.google.protobuf.CodedInputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry)`
`CertificateValidationContext.Builder`	`mergeFrom(com.google.protobuf.Message other)`
`CertificateValidationContext.Builder`	`mergeRequireSignedCertificateTimestamp(com.google.protobuf.BoolValue value)` [#not-implemented-hide:] Must present signed certificate time-stamp.
`CertificateValidationContext.Builder`	`mergeTrustedCa(DataSource value)` TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g. server certificate for clusters or client certificate for listeners).
`CertificateValidationContext.Builder`	`mergeUnknownFields(com.google.protobuf.UnknownFieldSet unknownFields)`
`CertificateValidationContext.Builder`	`mergeWatchedDirectory(WatchedDirectory value)` If specified, updates of a file-based trusted_ca source will be triggered by this watch.
`CertificateValidationContext.Builder`	`removeMatchSubjectAltNames(int index)` An optional list of Subject Alternative name matchers.
`CertificateValidationContext.Builder`	`setAllowExpiredCertificate(boolean value)` If specified, Envoy will not reject expired certificates.
`CertificateValidationContext.Builder`	`setCrl(DataSource.Builder builderForValue)` An optional `certificate revocation list <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format).
`CertificateValidationContext.Builder`	`setCrl(DataSource value)` An optional `certificate revocation list <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format).
`CertificateValidationContext.Builder`	`setField(com.google.protobuf.Descriptors.FieldDescriptor field, Object value)`
`CertificateValidationContext.Builder`	`setMatchSubjectAltNames(int index, StringMatcher.Builder builderForValue)` An optional list of Subject Alternative name matchers.
`CertificateValidationContext.Builder`	`setMatchSubjectAltNames(int index, StringMatcher value)` An optional list of Subject Alternative name matchers.
`CertificateValidationContext.Builder`	`setRepeatedField(com.google.protobuf.Descriptors.FieldDescriptor field, int index, Object value)`
`CertificateValidationContext.Builder`	`setRequireSignedCertificateTimestamp(com.google.protobuf.BoolValue.Builder builderForValue)` [#not-implemented-hide:] Must present signed certificate time-stamp.
`CertificateValidationContext.Builder`	`setRequireSignedCertificateTimestamp(com.google.protobuf.BoolValue value)` [#not-implemented-hide:] Must present signed certificate time-stamp.
`CertificateValidationContext.Builder`	`setTrustChainVerification(CertificateValidationContext.TrustChainVerification value)` Certificate trust chain verification mode.
`CertificateValidationContext.Builder`	`setTrustChainVerificationValue(int value)` Certificate trust chain verification mode.
`CertificateValidationContext.Builder`	`setTrustedCa(DataSource.Builder builderForValue)` TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g. server certificate for clusters or client certificate for listeners).
`CertificateValidationContext.Builder`	`setTrustedCa(DataSource value)` TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g. server certificate for clusters or client certificate for listeners).
`CertificateValidationContext.Builder`	`setUnknownFields(com.google.protobuf.UnknownFieldSet unknownFields)`
`CertificateValidationContext.Builder`	`setVerifyCertificateHash(int index, String value)` An optional list of hex-encoded SHA-256 hashes.
`CertificateValidationContext.Builder`	`setVerifyCertificateSpki(int index, String value)` An optional list of base64-encoded SHA-256 hashes.
`CertificateValidationContext.Builder`	`setWatchedDirectory(WatchedDirectory.Builder builderForValue)` If specified, updates of a file-based trusted_ca source will be triggered by this watch.
`CertificateValidationContext.Builder`	`setWatchedDirectory(WatchedDirectory value)` If specified, updates of a file-based trusted_ca source will be triggered by this watch.

Methods inherited from class com.google.protobuf.GeneratedMessageV3.Builder
getAllFields, getField, getFieldBuilder, getOneofFieldDescriptor, getParentForChildren, getRepeatedField, getRepeatedFieldBuilder, getRepeatedFieldCount, getUnknownFields, hasField, hasOneof, internalGetMapField, internalGetMutableMapField, isClean, markClean, newBuilderForField, onBuilt, onChanged, setUnknownFieldsProto3

Methods inherited from class com.google.protobuf.AbstractMessage.Builder
findInitializationErrors, getInitializationErrorString, internalMergeFrom, mergeDelimitedFrom, mergeDelimitedFrom, mergeFrom, mergeFrom, mergeFrom, mergeFrom, mergeFrom, mergeFrom, mergeFrom, mergeFrom, mergeFrom, newUninitializedMessageException, toString

Methods inherited from class com.google.protobuf.AbstractMessageLite.Builder
addAll, addAll, mergeFrom, newUninitializedMessageException

Methods inherited from class java.lang.Object
equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Methods inherited from interface com.google.protobuf.MessageOrBuilder
findInitializationErrors, getAllFields, getField, getInitializationErrorString, getOneofFieldDescriptor, getRepeatedField, getRepeatedFieldCount, getUnknownFields, hasField, hasOneof

Methods inherited from interface com.google.protobuf.MessageLite.Builder
mergeFrom

Method Detail

getDescriptor

public static final com.google.protobuf.Descriptors.Descriptor getDescriptor()

internalGetFieldAccessorTable
```
protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable internalGetFieldAccessorTable()
```
Specified by:

internalGetFieldAccessorTable in class com.google.protobuf.GeneratedMessageV3.Builder<CertificateValidationContext.Builder>

clear
```
public CertificateValidationContext.Builder clear()
```
Specified by:

clear in interface com.google.protobuf.Message.Builder

Specified by:

clear in interface com.google.protobuf.MessageLite.Builder

Overrides:

clear in class com.google.protobuf.GeneratedMessageV3.Builder<CertificateValidationContext.Builder>

getDescriptorForType
```
public com.google.protobuf.Descriptors.Descriptor getDescriptorForType()
```
Specified by:

getDescriptorForType in interface com.google.protobuf.Message.Builder

Specified by:

getDescriptorForType in interface com.google.protobuf.MessageOrBuilder

Overrides:

getDescriptorForType in class com.google.protobuf.GeneratedMessageV3.Builder<CertificateValidationContext.Builder>

getDefaultInstanceForType
```
public CertificateValidationContext getDefaultInstanceForType()
```
Specified by:

getDefaultInstanceForType in interface com.google.protobuf.MessageLiteOrBuilder

Specified by:

getDefaultInstanceForType in interface com.google.protobuf.MessageOrBuilder

build
```
public CertificateValidationContext build()
```
Specified by:

build in interface com.google.protobuf.Message.Builder

Specified by:

build in interface com.google.protobuf.MessageLite.Builder

buildPartial
```
public CertificateValidationContext buildPartial()
```
Specified by:

buildPartial in interface com.google.protobuf.Message.Builder

Specified by:

buildPartial in interface com.google.protobuf.MessageLite.Builder

clone
```
public CertificateValidationContext.Builder clone()
```
Specified by:

clone in interface com.google.protobuf.Message.Builder

Specified by:

clone in interface com.google.protobuf.MessageLite.Builder

Overrides:

clone in class com.google.protobuf.GeneratedMessageV3.Builder<CertificateValidationContext.Builder>

setField

public CertificateValidationContext.Builder setField(com.google.protobuf.Descriptors.FieldDescriptor field,
                                                     Object value)

Specified by:: setField in interface com.google.protobuf.Message.Builder
Overrides:: setField in class com.google.protobuf.GeneratedMessageV3.Builder<CertificateValidationContext.Builder>

clearField
```
public CertificateValidationContext.Builder clearField(com.google.protobuf.Descriptors.FieldDescriptor field)
```
Specified by:

clearField in interface com.google.protobuf.Message.Builder

Overrides:

clearField in class com.google.protobuf.GeneratedMessageV3.Builder<CertificateValidationContext.Builder>

clearOneof
```
public CertificateValidationContext.Builder clearOneof(com.google.protobuf.Descriptors.OneofDescriptor oneof)
```
Specified by:

clearOneof in interface com.google.protobuf.Message.Builder

Overrides:

clearOneof in class com.google.protobuf.GeneratedMessageV3.Builder<CertificateValidationContext.Builder>

setRepeatedField

public CertificateValidationContext.Builder setRepeatedField(com.google.protobuf.Descriptors.FieldDescriptor field,
                                                             int index,
                                                             Object value)

Specified by:: setRepeatedField in interface com.google.protobuf.Message.Builder
Overrides:: setRepeatedField in class com.google.protobuf.GeneratedMessageV3.Builder<CertificateValidationContext.Builder>

addRepeatedField

public CertificateValidationContext.Builder addRepeatedField(com.google.protobuf.Descriptors.FieldDescriptor field,
                                                             Object value)

Specified by:: addRepeatedField in interface com.google.protobuf.Message.Builder
Overrides:: addRepeatedField in class com.google.protobuf.GeneratedMessageV3.Builder<CertificateValidationContext.Builder>

mergeFrom
```
public CertificateValidationContext.Builder mergeFrom(com.google.protobuf.Message other)
```
Specified by:

mergeFrom in interface com.google.protobuf.Message.Builder

Overrides:

mergeFrom in class com.google.protobuf.AbstractMessage.Builder<CertificateValidationContext.Builder>

mergeFrom

public CertificateValidationContext.Builder mergeFrom(CertificateValidationContext other)

isInitialized
```
public final boolean isInitialized()
```
Specified by:

isInitialized in interface com.google.protobuf.MessageLiteOrBuilder

Overrides:

isInitialized in class com.google.protobuf.GeneratedMessageV3.Builder<CertificateValidationContext.Builder>

mergeFrom

public CertificateValidationContext.Builder mergeFrom(com.google.protobuf.CodedInputStream input,
                                                      com.google.protobuf.ExtensionRegistryLite extensionRegistry)
                                               throws IOException

Specified by:: mergeFrom in interface com.google.protobuf.Message.Builder
Specified by:: mergeFrom in interface com.google.protobuf.MessageLite.Builder
Overrides:: mergeFrom in class com.google.protobuf.AbstractMessage.Builder<CertificateValidationContext.Builder>
Throws:: IOException

hasTrustedCa

public boolean hasTrustedCa()

TLS certificate data containing certificate authority certificates to use in verifying
a presented peer certificate (e.g. server certificate for clusters or client certificate
for listeners). If not specified and a peer certificate is presented it will not be
verified. By default, a client certificate is optional, unless one of the additional
options (:ref:`require_client_certificate
<envoy_api_field_extensions.transport_sockets.tls.v4alpha.DownstreamTlsContext.require_client_certificate>`,
:ref:`verify_certificate_spki
<envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.verify_certificate_spki>`,
:ref:`verify_certificate_hash
<envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.verify_certificate_hash>`, or
:ref:`match_subject_alt_names
<envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.match_subject_alt_names>`) is also
specified.
It can optionally contain certificate revocation lists, in which case Envoy will verify
that the presented peer certificate has not been revoked by one of the included CRLs. Note
that if a CRL is provided for any certificate authority in a trust chain, a CRL must be
provided for all certificate authorities in that chain. Failure to do so will result in
verification failure for both revoked and unrevoked certificates from that chain.
See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
system CA locations.
If *trusted_ca* is a filesystem path, a watch will be added to the parent
directory for any file moves to support rotation. This currently only
applies to dynamic secrets, when the *CertificateValidationContext* is
delivered via SDS.

.envoy.config.core.v4alpha.DataSource trusted_ca = 1;

Specified by:: hasTrustedCa in interface CertificateValidationContextOrBuilder

getTrustedCa

public DataSource getTrustedCa()

.envoy.config.core.v4alpha.DataSource trusted_ca = 1;

Specified by:: getTrustedCa in interface CertificateValidationContextOrBuilder

setTrustedCa

public CertificateValidationContext.Builder setTrustedCa(DataSource value)

.envoy.config.core.v4alpha.DataSource trusted_ca = 1;

setTrustedCa

public CertificateValidationContext.Builder setTrustedCa(DataSource.Builder builderForValue)

.envoy.config.core.v4alpha.DataSource trusted_ca = 1;

mergeTrustedCa

public CertificateValidationContext.Builder mergeTrustedCa(DataSource value)

.envoy.config.core.v4alpha.DataSource trusted_ca = 1;

clearTrustedCa

public CertificateValidationContext.Builder clearTrustedCa()

.envoy.config.core.v4alpha.DataSource trusted_ca = 1;

getTrustedCaBuilder

public DataSource.Builder getTrustedCaBuilder()

.envoy.config.core.v4alpha.DataSource trusted_ca = 1;

getTrustedCaOrBuilder

public DataSourceOrBuilder getTrustedCaOrBuilder()

.envoy.config.core.v4alpha.DataSource trusted_ca = 1;

Specified by:: getTrustedCaOrBuilder in interface CertificateValidationContextOrBuilder

hasWatchedDirectory

public boolean hasWatchedDirectory()

 If specified, updates of a file-based *trusted_ca* source will be triggered
 by this watch. This allows explicit control over the path watched, by
 default the parent directory of the filesystem path in *trusted_ca* is
 watched if this field is not specified. This only applies when a
 *CertificateValidationContext* is delivered by SDS with references to
 filesystem paths. See the :ref:`SDS key rotation <sds_key_rotation>`
 documentation for further details.

.envoy.config.core.v4alpha.WatchedDirectory watched_directory = 11;

Specified by:: hasWatchedDirectory in interface CertificateValidationContextOrBuilder

getWatchedDirectory

public WatchedDirectory getWatchedDirectory()

 If specified, updates of a file-based *trusted_ca* source will be triggered
 by this watch. This allows explicit control over the path watched, by
 default the parent directory of the filesystem path in *trusted_ca* is
 watched if this field is not specified. This only applies when a
 *CertificateValidationContext* is delivered by SDS with references to
 filesystem paths. See the :ref:`SDS key rotation <sds_key_rotation>`
 documentation for further details.

.envoy.config.core.v4alpha.WatchedDirectory watched_directory = 11;

Specified by:: getWatchedDirectory in interface CertificateValidationContextOrBuilder

setWatchedDirectory

public CertificateValidationContext.Builder setWatchedDirectory(WatchedDirectory value)

 If specified, updates of a file-based *trusted_ca* source will be triggered
 by this watch. This allows explicit control over the path watched, by
 default the parent directory of the filesystem path in *trusted_ca* is
 watched if this field is not specified. This only applies when a
 *CertificateValidationContext* is delivered by SDS with references to
 filesystem paths. See the :ref:`SDS key rotation <sds_key_rotation>`
 documentation for further details.

.envoy.config.core.v4alpha.WatchedDirectory watched_directory = 11;

setWatchedDirectory

public CertificateValidationContext.Builder setWatchedDirectory(WatchedDirectory.Builder builderForValue)

 If specified, updates of a file-based *trusted_ca* source will be triggered
 by this watch. This allows explicit control over the path watched, by
 default the parent directory of the filesystem path in *trusted_ca* is
 watched if this field is not specified. This only applies when a
 *CertificateValidationContext* is delivered by SDS with references to
 filesystem paths. See the :ref:`SDS key rotation <sds_key_rotation>`
 documentation for further details.

.envoy.config.core.v4alpha.WatchedDirectory watched_directory = 11;

mergeWatchedDirectory

public CertificateValidationContext.Builder mergeWatchedDirectory(WatchedDirectory value)

 If specified, updates of a file-based *trusted_ca* source will be triggered
 by this watch. This allows explicit control over the path watched, by
 default the parent directory of the filesystem path in *trusted_ca* is
 watched if this field is not specified. This only applies when a
 *CertificateValidationContext* is delivered by SDS with references to
 filesystem paths. See the :ref:`SDS key rotation <sds_key_rotation>`
 documentation for further details.

.envoy.config.core.v4alpha.WatchedDirectory watched_directory = 11;

clearWatchedDirectory

public CertificateValidationContext.Builder clearWatchedDirectory()

 If specified, updates of a file-based *trusted_ca* source will be triggered
 by this watch. This allows explicit control over the path watched, by
 default the parent directory of the filesystem path in *trusted_ca* is
 watched if this field is not specified. This only applies when a
 *CertificateValidationContext* is delivered by SDS with references to
 filesystem paths. See the :ref:`SDS key rotation <sds_key_rotation>`
 documentation for further details.

.envoy.config.core.v4alpha.WatchedDirectory watched_directory = 11;

getWatchedDirectoryBuilder

public WatchedDirectory.Builder getWatchedDirectoryBuilder()

 If specified, updates of a file-based *trusted_ca* source will be triggered
 by this watch. This allows explicit control over the path watched, by
 default the parent directory of the filesystem path in *trusted_ca* is
 watched if this field is not specified. This only applies when a
 *CertificateValidationContext* is delivered by SDS with references to
 filesystem paths. See the :ref:`SDS key rotation <sds_key_rotation>`
 documentation for further details.

.envoy.config.core.v4alpha.WatchedDirectory watched_directory = 11;

getWatchedDirectoryOrBuilder

public WatchedDirectoryOrBuilder getWatchedDirectoryOrBuilder()

 If specified, updates of a file-based *trusted_ca* source will be triggered
 by this watch. This allows explicit control over the path watched, by
 default the parent directory of the filesystem path in *trusted_ca* is
 watched if this field is not specified. This only applies when a
 *CertificateValidationContext* is delivered by SDS with references to
 filesystem paths. See the :ref:`SDS key rotation <sds_key_rotation>`
 documentation for further details.

.envoy.config.core.v4alpha.WatchedDirectory watched_directory = 11;

Specified by:: getWatchedDirectoryOrBuilder in interface CertificateValidationContextOrBuilder

getVerifyCertificateSpkiList

public com.google.protobuf.ProtocolStringList getVerifyCertificateSpkiList()

 An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
 SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
 matches one of the specified values.
 A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
 can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -noout -pubkey
     | openssl pkey -pubin -outform DER
     | openssl dgst -sha256 -binary
     | openssl enc -base64
   NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
 This is the format used in HTTP Public Key Pinning.
 When both:
 :ref:`verify_certificate_hash
 <envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.verify_certificate_hash>` and
 :ref:`verify_certificate_spki
 <envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.verify_certificate_spki>` are specified,
 a hash matching value from either of the lists will result in the certificate being accepted.
 .. attention::
   This option is preferred over :ref:`verify_certificate_hash
   <envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.verify_certificate_hash>`,
   because SPKI is tied to a private key, so it doesn't change when the certificate
   is renewed using the same private key.

repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }

Specified by:: getVerifyCertificateSpkiList in interface CertificateValidationContextOrBuilder

getVerifyCertificateSpkiCount

public int getVerifyCertificateSpkiCount()

 An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
 SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
 matches one of the specified values.
 A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
 can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -noout -pubkey
     | openssl pkey -pubin -outform DER
     | openssl dgst -sha256 -binary
     | openssl enc -base64
   NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
 This is the format used in HTTP Public Key Pinning.
 When both:
 :ref:`verify_certificate_hash
 <envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.verify_certificate_hash>` and
 :ref:`verify_certificate_spki
 <envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.verify_certificate_spki>` are specified,
 a hash matching value from either of the lists will result in the certificate being accepted.
 .. attention::
   This option is preferred over :ref:`verify_certificate_hash
   <envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.verify_certificate_hash>`,
   because SPKI is tied to a private key, so it doesn't change when the certificate
   is renewed using the same private key.

repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }

Specified by:: getVerifyCertificateSpkiCount in interface CertificateValidationContextOrBuilder

getVerifyCertificateSpki

public String getVerifyCertificateSpki(int index)

 An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
 SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
 matches one of the specified values.
 A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
 can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -noout -pubkey
     | openssl pkey -pubin -outform DER
     | openssl dgst -sha256 -binary
     | openssl enc -base64
   NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
 This is the format used in HTTP Public Key Pinning.
 When both:
 :ref:`verify_certificate_hash
 <envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.verify_certificate_hash>` and
 :ref:`verify_certificate_spki
 <envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.verify_certificate_spki>` are specified,
 a hash matching value from either of the lists will result in the certificate being accepted.
 .. attention::
   This option is preferred over :ref:`verify_certificate_hash
   <envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.verify_certificate_hash>`,
   because SPKI is tied to a private key, so it doesn't change when the certificate
   is renewed using the same private key.

repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }

Specified by:: getVerifyCertificateSpki in interface CertificateValidationContextOrBuilder

getVerifyCertificateSpkiBytes

public com.google.protobuf.ByteString getVerifyCertificateSpkiBytes(int index)

 An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
 SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
 matches one of the specified values.
 A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
 can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -noout -pubkey
     | openssl pkey -pubin -outform DER
     | openssl dgst -sha256 -binary
     | openssl enc -base64
   NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
 This is the format used in HTTP Public Key Pinning.
 When both:
 :ref:`verify_certificate_hash
 <envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.verify_certificate_hash>` and
 :ref:`verify_certificate_spki
 <envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.verify_certificate_spki>` are specified,
 a hash matching value from either of the lists will result in the certificate being accepted.
 .. attention::
   This option is preferred over :ref:`verify_certificate_hash
   <envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.verify_certificate_hash>`,
   because SPKI is tied to a private key, so it doesn't change when the certificate
   is renewed using the same private key.

repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }

Specified by:: getVerifyCertificateSpkiBytes in interface CertificateValidationContextOrBuilder

setVerifyCertificateSpki

public CertificateValidationContext.Builder setVerifyCertificateSpki(int index,
                                                                     String value)

 An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
 SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
 matches one of the specified values.
 A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
 can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -noout -pubkey
     | openssl pkey -pubin -outform DER
     | openssl dgst -sha256 -binary
     | openssl enc -base64
   NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
 This is the format used in HTTP Public Key Pinning.
 When both:
 :ref:`verify_certificate_hash
 <envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.verify_certificate_hash>` and
 :ref:`verify_certificate_spki
 <envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.verify_certificate_spki>` are specified,
 a hash matching value from either of the lists will result in the certificate being accepted.
 .. attention::
   This option is preferred over :ref:`verify_certificate_hash
   <envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.verify_certificate_hash>`,
   because SPKI is tied to a private key, so it doesn't change when the certificate
   is renewed using the same private key.

repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }

addVerifyCertificateSpki

public CertificateValidationContext.Builder addVerifyCertificateSpki(String value)

 An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
 SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
 matches one of the specified values.
 A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
 can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -noout -pubkey
     | openssl pkey -pubin -outform DER
     | openssl dgst -sha256 -binary
     | openssl enc -base64
   NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
 This is the format used in HTTP Public Key Pinning.
 When both:
 :ref:`verify_certificate_hash
 <envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.verify_certificate_hash>` and
 :ref:`verify_certificate_spki
 <envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.verify_certificate_spki>` are specified,
 a hash matching value from either of the lists will result in the certificate being accepted.
 .. attention::
   This option is preferred over :ref:`verify_certificate_hash
   <envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.verify_certificate_hash>`,
   because SPKI is tied to a private key, so it doesn't change when the certificate
   is renewed using the same private key.

repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }

addAllVerifyCertificateSpki

public CertificateValidationContext.Builder addAllVerifyCertificateSpki(Iterable<String> values)

 An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
 SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
 matches one of the specified values.
 A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
 can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -noout -pubkey
     | openssl pkey -pubin -outform DER
     | openssl dgst -sha256 -binary
     | openssl enc -base64
   NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
 This is the format used in HTTP Public Key Pinning.
 When both:
 :ref:`verify_certificate_hash
 <envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.verify_certificate_hash>` and
 :ref:`verify_certificate_spki
 <envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.verify_certificate_spki>` are specified,
 a hash matching value from either of the lists will result in the certificate being accepted.
 .. attention::
   This option is preferred over :ref:`verify_certificate_hash
   <envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.verify_certificate_hash>`,
   because SPKI is tied to a private key, so it doesn't change when the certificate
   is renewed using the same private key.

repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }

clearVerifyCertificateSpki

public CertificateValidationContext.Builder clearVerifyCertificateSpki()

 An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
 SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
 matches one of the specified values.
 A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
 can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -noout -pubkey
     | openssl pkey -pubin -outform DER
     | openssl dgst -sha256 -binary
     | openssl enc -base64
   NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
 This is the format used in HTTP Public Key Pinning.
 When both:
 :ref:`verify_certificate_hash
 <envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.verify_certificate_hash>` and
 :ref:`verify_certificate_spki
 <envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.verify_certificate_spki>` are specified,
 a hash matching value from either of the lists will result in the certificate being accepted.
 .. attention::
   This option is preferred over :ref:`verify_certificate_hash
   <envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.verify_certificate_hash>`,
   because SPKI is tied to a private key, so it doesn't change when the certificate
   is renewed using the same private key.

repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }

addVerifyCertificateSpkiBytes

public CertificateValidationContext.Builder addVerifyCertificateSpkiBytes(com.google.protobuf.ByteString value)

 An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
 SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
 matches one of the specified values.
 A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
 can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -noout -pubkey
     | openssl pkey -pubin -outform DER
     | openssl dgst -sha256 -binary
     | openssl enc -base64
   NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
 This is the format used in HTTP Public Key Pinning.
 When both:
 :ref:`verify_certificate_hash
 <envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.verify_certificate_hash>` and
 :ref:`verify_certificate_spki
 <envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.verify_certificate_spki>` are specified,
 a hash matching value from either of the lists will result in the certificate being accepted.
 .. attention::
   This option is preferred over :ref:`verify_certificate_hash
   <envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.verify_certificate_hash>`,
   because SPKI is tied to a private key, so it doesn't change when the certificate
   is renewed using the same private key.

repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }

getVerifyCertificateHashList

public com.google.protobuf.ProtocolStringList getVerifyCertificateHashList()

 An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
 the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
 A hex-encoded SHA-256 of the certificate can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
   df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
 A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
 can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
   DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
 Both of those formats are acceptable.
 When both:
 :ref:`verify_certificate_hash
 <envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.verify_certificate_hash>` and
 :ref:`verify_certificate_spki
 <envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.verify_certificate_spki>` are specified,
 a hash matching value from either of the lists will result in the certificate being accepted.

repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }

Specified by:: getVerifyCertificateHashList in interface CertificateValidationContextOrBuilder

getVerifyCertificateHashCount

public int getVerifyCertificateHashCount()

 An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
 the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
 A hex-encoded SHA-256 of the certificate can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
   df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
 A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
 can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
   DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
 Both of those formats are acceptable.
 When both:
 :ref:`verify_certificate_hash
 <envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.verify_certificate_hash>` and
 :ref:`verify_certificate_spki
 <envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.verify_certificate_spki>` are specified,
 a hash matching value from either of the lists will result in the certificate being accepted.

repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }

Specified by:: getVerifyCertificateHashCount in interface CertificateValidationContextOrBuilder

getVerifyCertificateHash

public String getVerifyCertificateHash(int index)

 An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
 the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
 A hex-encoded SHA-256 of the certificate can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
   df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
 A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
 can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
   DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
 Both of those formats are acceptable.
 When both:
 :ref:`verify_certificate_hash
 <envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.verify_certificate_hash>` and
 :ref:`verify_certificate_spki
 <envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.verify_certificate_spki>` are specified,
 a hash matching value from either of the lists will result in the certificate being accepted.

repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }

Specified by:: getVerifyCertificateHash in interface CertificateValidationContextOrBuilder

getVerifyCertificateHashBytes

public com.google.protobuf.ByteString getVerifyCertificateHashBytes(int index)

 An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
 the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
 A hex-encoded SHA-256 of the certificate can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
   df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
 A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
 can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
   DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
 Both of those formats are acceptable.
 When both:
 :ref:`verify_certificate_hash
 <envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.verify_certificate_hash>` and
 :ref:`verify_certificate_spki
 <envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.verify_certificate_spki>` are specified,
 a hash matching value from either of the lists will result in the certificate being accepted.

repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }

Specified by:: getVerifyCertificateHashBytes in interface CertificateValidationContextOrBuilder

setVerifyCertificateHash

public CertificateValidationContext.Builder setVerifyCertificateHash(int index,
                                                                     String value)

 An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
 the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
 A hex-encoded SHA-256 of the certificate can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
   df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
 A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
 can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
   DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
 Both of those formats are acceptable.
 When both:
 :ref:`verify_certificate_hash
 <envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.verify_certificate_hash>` and
 :ref:`verify_certificate_spki
 <envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.verify_certificate_spki>` are specified,
 a hash matching value from either of the lists will result in the certificate being accepted.

repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }

addVerifyCertificateHash

public CertificateValidationContext.Builder addVerifyCertificateHash(String value)

 An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
 the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
 A hex-encoded SHA-256 of the certificate can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
   df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
 A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
 can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
   DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
 Both of those formats are acceptable.
 When both:
 :ref:`verify_certificate_hash
 <envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.verify_certificate_hash>` and
 :ref:`verify_certificate_spki
 <envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.verify_certificate_spki>` are specified,
 a hash matching value from either of the lists will result in the certificate being accepted.

repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }

addAllVerifyCertificateHash

public CertificateValidationContext.Builder addAllVerifyCertificateHash(Iterable<String> values)

 An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
 the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
 A hex-encoded SHA-256 of the certificate can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
   df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
 A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
 can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
   DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
 Both of those formats are acceptable.
 When both:
 :ref:`verify_certificate_hash
 <envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.verify_certificate_hash>` and
 :ref:`verify_certificate_spki
 <envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.verify_certificate_spki>` are specified,
 a hash matching value from either of the lists will result in the certificate being accepted.

repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }

clearVerifyCertificateHash

public CertificateValidationContext.Builder clearVerifyCertificateHash()

 An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
 the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
 A hex-encoded SHA-256 of the certificate can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
   df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
 A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
 can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
   DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
 Both of those formats are acceptable.
 When both:
 :ref:`verify_certificate_hash
 <envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.verify_certificate_hash>` and
 :ref:`verify_certificate_spki
 <envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.verify_certificate_spki>` are specified,
 a hash matching value from either of the lists will result in the certificate being accepted.

repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }

addVerifyCertificateHashBytes

public CertificateValidationContext.Builder addVerifyCertificateHashBytes(com.google.protobuf.ByteString value)

 An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
 the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
 A hex-encoded SHA-256 of the certificate can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
   df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
 A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
 can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
   DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
 Both of those formats are acceptable.
 When both:
 :ref:`verify_certificate_hash
 <envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.verify_certificate_hash>` and
 :ref:`verify_certificate_spki
 <envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.verify_certificate_spki>` are specified,
 a hash matching value from either of the lists will result in the certificate being accepted.

repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }