This fixes late-trust-bootstrap clients' ability to trust certificates
issued by an older CA.

Emit Certificate Revocation Lists signed by all valid CAs.
Apparently openssl (or at least how it is used in stunnel4) fails to
validate a certificate when CRL validation is enabled and the key which
signed the CRL differs from the key which signed the certificate.
Also, add Authority Key Identifier CRL extension, required to be standard-
compliant.
Also, fix revocation entry expiration: the RFC requires them to be kept
at least one renewal cycle after the certificate's expiration.
As a consequence of this whole change:
- the protocol for retrieving the curren CRL changes to return the
  concatenated list of CRLs, which breaks the CRL distribution (...but
  the distributed CRLs were invalid anyway)
- stop storing the CRL PEM in caucased's database so that it gets
  re-generated with fresh code. As caucased is not expected to be
  restarted very often, the extra CRL generation on every start should
  not make a difference.

So it can be reused elsewhere.

Also, some word-wrapping.

Makes the code easier to read.

The only one present is not intended to be internally assigned.

datetime.datetime.fromtimestamp applies timezones, which is unintended.
Fixes a time drift on revoked certificates.

Also, this provides a handy location to log all queries when debugging.
Also, some minor cleanups.

So they can be reused for more PEM-encoded types.

Because this is not the job of an import/export tool.

Tests are supposed to help spot errors, and caucased access traces help
with this too.

So that stdout may be more reliably used for scripting.

bad-option-value has an effect on the "disable" line, but somehow none on the
"enable" line. So remove it altogether.

python2.7 with pylint 1.9.5
python3.9 with pylint 2.6.0
Also, reduce the script of unused argument silencing.

It is redundant, but regular runner output does not display the test class.

Thanks, modern pylint !

Otherwise, client certificates issued before a new CA is used get rejected
once the new CA becomes current.

This extension is required by rfc5280 (see section 5.2.1) but was
overlooked.

The result only changes when CA certificates are reloaded, so prepare this
valuein _loadCAKeyPairList.

"expires" takes an absolute date, "max-age" takes a number of seconds until
expiration.
So switch to "max-age": according to Mozilla Developer Network, it is
supported by all major browsers, and by IE since version 8.