So it can be reused elsewhere.

Also, some word-wrapping.

Makes the code easier to read.

The only one present is not intended to be internally assigned.

datetime.datetime.fromtimestamp applies timezones, which is unintended.
Fixes a time drift on revoked certificates.

Also, this provides a handy location to log all queries when debugging.
Also, some minor cleanups.

So they can be reused for more PEM-encoded types.

Because this is not the job of an import/export tool.

Tests are supposed to help spot errors, and caucased access traces help
with this too.

So that stdout may be more reliably used for scripting.

bad-option-value has an effect on the "disable" line, but somehow none on the
"enable" line. So remove it altogether.

python2.7 with pylint 1.9.5
python3.9 with pylint 2.6.0
Also, reduce the script of unused argument silencing.

It is redundant, but regular runner output does not display the test class.

Thanks, modern pylint !

Otherwise, client certificates issued before a new CA is used get rejected
once the new CA becomes current.

This extension is required by rfc5280 (see section 5.2.1) but was
overlooked.

The result only changes when CA certificates are reloaded, so prepare this
valuein _loadCAKeyPairList.

"expires" takes an absolute date, "max-age" takes a number of seconds until
expiration.
So switch to "max-age": according to Mozilla Developer Network, it is
supported by all major browsers, and by IE since version 8.