[arch-dev-public] Rethinking our CA certificate setup