security/ca_root_nss: only add SERVER_AUTH certs,
and support CKA_NSS_SERVER_DISTRUST_AFTER to not include
certificates if the extracted bundle of certificates
is generated later than the expiration date.
This script no longer emits trust certificates for
- EMAIL_PROTECTION
- CODE_SIGNING
because the default certificate bundle in FreeBSD is supposed to
be used for server authentication.
Reported by: Christian Heimes <christian@python.org>
via: Gordon Tetlow
Approved by: ports-secteam (riggs@) (maintainer)