Currently when changing certificates in the test server we need to go through a few steps:

1. Generate the new server certificate with whatever changes are needed (or just regenerate if expired)
2. prepare all current branches for the change (e.g. must be able to accept one of two certificates in the ServerHello).
   1. It needs to be in all branches before the next step to avoid breaking CI for everyone else
3. Deploy the certificate to the server
   1. Done through one of the qtqa repositories
4. Switch over the test to only use the new certificate

However, if we use a long-lived certificate authority which we can add to trusted CAs in the test, and don't keep a copy of the server's certificate in the source we can skip step 2 and 4. The process would be more like this

1. Generate the new server certificate with whatever changes needed
2. Sign the certificate using our certificate authority
3. Deploy to server

All branches still trust the CA so the new certificate will automatically be accepted. If we need to test specific things about a certificate (such as comparing fields and/or testing parsing) then this test should be done in-process.