Re: new certificate stuff

[Taylor R Campbell <riastradh%NetBSD.org@localhost>]

> Date: Mon, 28 Aug 2023 10:41:32 +0200
> From: Manuel Bouyer <bouyer%antioche.eu.org@localhost>
> 
> Maybe postinstall should check the /etc/openssl/certs.conf existance,
> and fail the 'fix opensslcerts' asking for it to be manually created;
> as we do for e.g. uid/gid if some are missing ?

I split it into two postinstall items:

- opensslcertsconf: handles missing /etc/openssl/certs.conf, in case
  you neglect to apply etcupdate or equivalent to bring in new config
  files.

  If you appear to be managing /etc/openssl/certs manually already,
  this sets `manual' in certs.conf; otherwise it copies the default
  one from /usr/share/examples/certctl/certs.conf.

- opensslcertsrehash: handles regenerating the /etc/openssl/certs
  cache from config.

  I also added a check operation so that this complains if and only if
  `certctl rehash' would create something different from what is
  currently in /etc/openssl/certs (or if it doesn't seem to be managed
  by certctl(8), but /etc/openssl/certs.conf doesn't set `manual').

Please let me know if you have any trouble with upgrades!

I'm trying to make sure this will provide a seamless fresh install and
upgrade path so that if you were already managing /etc/openssl/certs,
it stays that way, but if you weren't, certctl(8) takes over and makes
the Mozilla trust anchors available.  And I'd like to get this into 10
ASAP.