Create a certificate authority cert and key for netboot (and other releng artifact) signing

To solve FS#80243 "[ipxe] embed another developer's certificate in ipxe-arch.*", it would be best to use certificates signed by a custom certificate authority.

This is a request to create and maintain a certificate authority key and certificate.

In the future the CA could sign a cert that the CI of archlinux/releng> would use to sign releng artifacts.

Using https://gitlab.archlinux.org/archlinux/archiso/-/blob/master/.gitlab/ci/build_archiso.sh as the base, the CA key and cert can be created with something like this:

ca_dir="$(realpath -- ./ca)"
ca_conf="${ca_dir}/certificate_authority.cnf"
ca_subj='/C=DE/ST=Berlin/L=Berlin/O=Arch Linux/OU=Release Engineering/emailAddress=arch-releng@lists.archlinux.org/CN=Arch Linux Release Engineering Certificate Authority'
ca_cert="${ca_dir}/cacert.pem"
ca_key="${ca_dir}/private/cakey.pem"

mkdir -p "${ca_dir}/"{private,newcerts,crl}
cp -- /etc/ssl/openssl.cnf "${ca_dir}/"
touch "${ca_dir}/index.txt"
echo "1000" >"${ca_dir}/serial"
sed -i "s#/etc/ssl#${ca_dir}#g" "${ca_conf}"

openssl req \
    -newkey rsa:4096 \
    -sha256 \
    -nodes \
    -x509 \
    -new \
    -sha256 \
    -keyout "${ca_key}" \
    -config "${ca_conf}" \
    -subj "${ca_subj}" \
    -days 2 \
    -out "${ca_cert}"

/cc @dvzrv @pierre

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

Admin message

Create a certificate authority cert and key for netboot (and other releng artifact) signing