This also rewrites the certificate validation script (which we need for this) slightly. This could need a bit of caching, but should generally work very reliably.
