HomeMate PKI trust endpoint.

Public CA artifacts:
  /ca-bundle.pem              — root + intermediate (recommended for device firmware)
  /homemate-root-ca.crt       — root only
  /homemate-issuing-ca.crt    — intermediate only

Revocation:
  /crl       /homemate-crl.der    — current CRL in DER (binary, browsers/openssl preferred)
  /crl.pem   /homemate-crl.pem    — current CRL in PEM (human-readable)
  Refresh:   hourly via homemate-crl-refresh.timer

The MQTT broker at mqtts://mqtt.homematesmart.com:8884 presents a cert
chained to these CAs. Bake /ca-bundle.pem into device firmware to verify
it, and have firmware re-fetch /crl daily to enforce revocation.