caroot: regenerate the root bundle with OpenSSL 3

No functional change intended.

caroot: drop the VERSION tag from already-processed certs

An update is imminent; drop these now to make it easier to audit the
results.

caroot: reroll the remaining certs

This adds a specific note that these are explicitly trusted for
server auth.

MFC after: 3 days

caroot: drop $FreeBSD$ expansion from root bundle

This debatably could have waited until the next update would have taken
place, but it's easier to see what changes if we get it out of the way
now.

caroot: drop $FreeBSD$ expansion from root bundle

This debatably could have waited until the next update would have taken
place, but it's easier to see what changes if we get it out of the way
now.

MFC after: 3 days

show more ...

Merge ^/head r352764 through r353315.

caroot: commit initial bundle

Interested users can blacklist any/all of these with certctl(8), examples:

- mv /usr/share/certs/trusted/... /usr/share/certs/blacklisted/...; \
certctl rehash
- c

caroot: commit initial bundle

Interested users can blacklist any/all of these with certctl(8), examples:

- mv /usr/share/certs/trusted/... /usr/share/certs/blacklisted/...; \
certctl rehash
- certctl blacklist /usr/share/certs/trusted/*; \
certctl rehash

Certs can be easily examined after installation with `certctl list`, and
certctl blacklist will accept the hashed filename as output by list or as
seen in /etc/ssl/certs

No objection from: secteam
Relnotes: Definite maybe

show more ...