This makes it safer to trust this CA certificate in general-purpose https
clients, like web browsers, as it prevents such trusted CA certificate
from issuing rogue certificates.
Bump pyOpenSSL to latest version (and, as a consequence of pyOpenSSL
18.0.0 itself requiring cryptography 2.1.1, bump it as well) as it seems to
fix a bug related to validating NameConstraints - and anyway fixes
worrying use-after-free errors.