Emit Certificate Revocation Lists signed by all valid CAs.
Apparently openssl (or at least how it is used in stunnel4) fails to
validate a certificate when CRL validation is enabled and the key which
signed the CRL differs from the key which signed the certificate.
Also, add Authority Key Identifier CRL extension, required to be standard-
Also, fix revocation entry expiration: the RFC requires them to be kept
at least one renewal cycle after the certificate's expiration.
As a consequence of this whole change:
- the protocol for retrieving the curren CRL changes to return the
concatenated list of CRLs, which breaks the CRL distribution (...but
the distributed CRLs were invalid anyway)
- stop storing the CRL PEM in caucased's database so that it gets
re-generated with fresh code. As caucased is not expected to be
restarted very often, the extra CRL generation on every start should
not make a difference.