This PR transitions the system from an ephemeral Root CA (where the private key was destroyed after leaf generation) to a Persistent Local CA architecture.

Key changes include:

1. Refactored Utility: EphemeralCAUtility.java is now LocalCAUtility.java.
2. Persistence: The Root CA private key is now securely stored in osh-keystore.p12 under the alias root-ca. It is encrypted using the auto-generated password in .app_secrets.
3. Automated Renewal: SensorHubWrapper now calls LocalCAUtility.checkAndRenewCertificates() on every boot. If the jetty leaf certificate is within 30 days of expiration, it is automatically regenerated and signed by the persistent Root CA.
4. Lifespan Changes: Root CA now has a 20-year lifespan to minimize manual trust-store updates for operators. Leaf certificates remain at 1 year.
5. Centralized Management: Launch scripts no longer manually call the CA utility; all certificate lifecycle management is now handled within the Java application's startup sequence.
6. Documentation: Architecture wikis have been updated to reflect the new persistent PKI and automated renewal logic as per AI_CONTRIBUTING_RULES.md.

Verification:

• Added LocalCAUtilityTest.java to verify initial generation and lifespan logic.
• Verified compilation and test pass via ./gradlew :security-utils:test.
• Manual inspection of launch.sh and launch.bat confirm removal of obsolete generation steps.

Fixes #63

PR created automatically by Jules for task 8825928146862250262 started by @tyronechrisharris

🔄 Auto-Distributed via Sync

Original Flat Repo PR: tyronechrisharris/oscar-flat#64

🔗 Related Updates in this Sync:

• Implement Persistent, Auto-Renewing Local CA PKI earocorn/osh-core#9
• Implement Persistent, Auto-Renewing Local CA PKI opensensorhub/osh-addons#183
• Implement Persistent, Auto-Renewing Local CA PKI #268
• Implement Persistent, Auto-Renewing Local CA PKI osh-oakridge-modules#168
• Update OSCAR submodule pointers for: Implement Persistent, Auto-Renewing Local CA PKI osh-oakridge-buildnode#132