Replace all test private keys with dynamically-generated keys like //.hierarchy

[aarongable]

Twice in the last two weeks we have uploaded new private keys in PRs, and had to have SRE block those keys because they're compromised.

This should be impossible. We should make it so that boulder has no need for checked-in keys, by dynamically generating any such keys when the integration tests start. Then we should enable push protection with secret scanning to ensure that we never upload a private key to this repo ever again.

$ ag -l "BEGIN.*PRIVATE KEY"

• [x] test/test-root2.key
• [x] test/test-root.key
• [ ] test/hierarchy/*.key.pem
• [x] test/grpc-creds/*/key.pem
• [x] test/test-ee.key
• [x] test/test-example.key
• [x] test/mail-test-srv/localhost/key.pem
• [x] test/mail-test-srv/minica-key.pem
• [x] test/redis-tls/minica-key.pem
• [x] test/redis-tls/boulder/key.pem
• [x] test/redis-tls/boulder-redis/key.pem
• [x] test/redis-tls/redis/key.pem
• [x] test/wfe-tls/minica-key.pem
• [x] test/wfe-tls/boulder/key.pem
• [x] ca/testdata/ca_key.pem
• [x] ca/testdata/testcsr.go
• [x] cmd/ocsp-responder/testdata/test-ca.key
• [x] grpc/creds/testdata/example.com/key.pem
• [x] wfe2/test/238.key
• [x] wfe2/test/178.key
• [ ] wfe2/wfe_test.go

$ find -type f -iname '*.der'

• [x] //test/test-root.key.der
• [ ] //test/test-key-5.der
• [x] //test/test-ca.key.der

[pgporada]

There's also some DER encoded private keys floating around such as the following. Note that public keys haven't been sorted out from this.

$ find -type f -iname '*.der'
./test/test-root.key.der
./test/test-ca.der
./test/test-key-5.der
./test/test-ca.key.der
./test/test-root.der

[aarongable]

test-ca.der and test-root.der are certificates; I've added the others to the checklist above.

[aarongable]

With #7488 out for review, only three clusters of keys remains:

• test-key-5 and the keys hardcoded into wfe_test.go, which correspond to pubkeys hardcoded into mocks/mocks.go and will therefore be a bit more complicated to remove
• the minica keys and certs for mail-test-srv, redis-tls, and wfe-tls, which can largely just be moved into the dynamically-generated PKI, except that some of them are used by unittests too
• //test/hierarchy, which we use nearly everywhere, and have been discussing replacing with a test-only package that generates such certs in-memory at init() time.