With SHA-1 deprecation, we need a few certificates using algorithms in
the default support list. Most tests still use SHA-1 though.
The generation process for the new certificates is recorded in the makefile.
As we're about to change the chain construction logic, we want to make sure
the callback will still be called exactly when it should, and not on the
(upcoming) ignored certs in the chain.