Update bundle to include 1024-bit roots

[Lukasa]

This is my current proposal to update the cert bundle, satisfying the requirements of kennethreitz/requests#2455. I haven't fully tested this yet, as my Mac actually makes it really hard to reproduce this problem!

[Lukasa]

A quick test does appear to show that this functions 'correctly'.

[Lukasa]

Ok, so the remaining questions on this issue are about policy.

My plan is as follows:

Ship a certifi that includes the new certs and the old.
(A month or two away) Ship a certifi that has two bundles: only the new, and then one containing the new and the old. Use the new by default, but have programmatic fallback to the old.
(Several months after) Remove the fallback to the old.

Let's firm up those dates.

[sigmavirus24]

I like the policy. I wonder if we should set up some integrations on this repo so that we can say... write some tests to make requests to some selection of sites using the bundle in certifi to make sure it continues to function as we expect for some selection of X beyond httpbin.

[Lukasa]

@sigmavirus24 Sounds like a good plan, I'll write some infrastructure for it some shiny weekend when I have a few hours. =)

[Lukasa]

In the meantime, I'm picking some dates.

• Today/Tomorrow: A new certifi release containing the 1024-bit roots.
• End of May: A new certifi release containing two bundles, one weak and one strong, defaulting to the new bundle. Issues a DeprecationWarning if the old bundle is used.
• End of September: A new certifi release containing only the strong bundle.