In the spirit of 'Each logical configuration item is settable in exactly one place':
Startup/TDAP: If /etc/ssl/citadel/citadel.cer has dates out of range or will expire within two months, log/send warning email
Webcit: If /etc/ssl/citadel/citadel.cer exists-- change to drop down list 'node name' and 'FQDN' , populate from cert cn/alt dns, warn if cert issues.
Cit-server: On startup: If /etc/ssl/citadel/citadel.cer or /etc/ssl/citadel/citadel.key exists:
if /etc/ssl/citadel/citadel.key doesn't exist or doesn't have security mode 0400 and ownership by root: fail on startup.
If /etc/ssl/citadel/citadel.cer doesn't exist or isn't a valid certificate (Except for dates): fail on startup.
only if config item 'node name' and 'FQDN' not in cn or alt dns , populate automagically from cert CN.
