From 4c1db3ebe0d6014cdd5c0b6b1bd1def58f065346 Mon Sep 17 00:00:00 2001
From: Draco-Lunaris-Echo <draco-lunaris-echo@moon-dragon.us>
Date: Wed, 10 Jun 2026 10:03:00 -0500
Subject: [PATCH] fix(packaging): convert CA key from SEC1 to PKCS#8 for Rust
 pm-ca parser

The Rust pm-ca crate (crates/pm-ca/src/ca.rs) only parses PKCS#8
format private keys. openssl ecparam -genkey produces SEC1 format
(BEGIN EC PRIVATE KEY), which the Rust ring/RSA parser rejects
with "parse CA private-key PEM", causing the service to crash-loop
on startup.

Proven on LPM: converting ca.key with openssl pkcs8 -topk8 -nocrypt
and restarting patch-manager-web results in:
  Root CA loaded successfully
  Listening (HTTPS) on 0.0.0.0:443
---
 Cargo.toml               | 2 +-
 debian/changelog         | 6 ++++++
 debian/control           | 2 +-
 debian/postinst          | 2 ++
 frontend/package.json    | 2 +-
 scripts/build-package.sh | 2 +-
 6 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/Cargo.toml b/Cargo.toml
index c0c5347..6f6cc93 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -12,7 +12,7 @@ members = [
 ]
 
 [workspace.package]
-version = "1.1.13"
+version = "1.1.14"
 edition = "2021"
 authors = ["Echo <echo@moon-dragon.us>"]
 license = "MIT"
diff --git a/debian/changelog b/debian/changelog
index baf4d48..a972915 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+linux-patch-manager (1.1.14-1) unstable; urgency=low
+
+  * Release v1.1.14
+
+ -- git-echo <git-echo@moon-dragon.us>  Wed, 10 Jun 2026 10:02:44 -0500
+
 linux-patch-manager (1.1.13-1) unstable; urgency=low
 
   * Release v1.1.13
diff --git a/debian/control b/debian/control
index d43a3bf..d37686d 100644
--- a/debian/control
+++ b/debian/control
@@ -1,5 +1,5 @@
 Package: linux-patch-manager
-Version: 1.1.13-1
+Version: 1.1.14-1
 Architecture: amd64
 Maintainer: Moon Dragon <echo@moon-dragon.us>
 Installed-Size: 45000
diff --git a/debian/postinst b/debian/postinst
index 2f9f91e..3c084da 100755
--- a/debian/postinst
+++ b/debian/postinst
@@ -277,6 +277,8 @@ generate_tls_certs() {
     if [[ ! -f "${ca_cert}" ]]; then
         info "Generating internal Certificate Authority (ECDSA P-256, 10-year validity)..."
         openssl ecparam -genkey -name prime256v1 -noout -out "${ca_key}"
+        # Convert SEC1 → PKCS#8 (the Rust pm-ca crate only parses PKCS#8).
+        openssl pkcs8 -topk8 -nocrypt -in "${ca_key}" -out "${ca_key}.tmp" && mv "${ca_key}.tmp" "${ca_key}"
         openssl req -new -x509 -key "${ca_key}" -out "${ca_cert}" \
             -days 3650 \
             -subj "/CN=Patch Manager Root CA/O=Patch Manager" \
diff --git a/frontend/package.json b/frontend/package.json
index bb43961..341e688 100644
--- a/frontend/package.json
+++ b/frontend/package.json
@@ -1,7 +1,7 @@
 {
   "name": "patch-manager-ui",
   "private": true,
-  "version": "1.1.13",
+  "version": "1.1.14",
   "type": "module",
   "scripts": {
     "dev": "vite",
diff --git a/scripts/build-package.sh b/scripts/build-package.sh
index c3bf993..63ca976 100755
--- a/scripts/build-package.sh
+++ b/scripts/build-package.sh
@@ -22,7 +22,7 @@ warn()  { echo -e "${YELLOW}[WARN]${NC}  $*"; }
 error() { echo -e "${RED}[ERROR]${NC} $*" >&2; exit 1; }
 
 PROJECT_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
-VERSION="1.1.13"
+VERSION="1.1.14"
 RELEASE="1"
 PKG_NAME="linux-patch-manager"
 DEB_NAME="${PKG_NAME}_${VERSION}-${RELEASE}_amd64.deb"