fix(packaging): convert CA key from SEC1 to PKCS#8 for Rust pm-ca parser

The Rust pm-ca crate (crates/pm-ca/src/ca.rs) only parses PKCS#8
format private keys. openssl ecparam -genkey produces SEC1 format
(BEGIN EC PRIVATE KEY), which the Rust ring/RSA parser rejects
with "parse CA private-key PEM", causing the service to crash-loop
on startup.

Proven on LPM: converting ca.key with openssl pkcs8 -topk8 -nocrypt
and restarting patch-manager-web results in:
  Root CA loaded successfully
  Listening (HTTPS) on 0.0.0.0:443

debian/changelog

@@ -1,3 +1,9 @@
+linux-patch-manager (1.1.14-1) unstable; urgency=low
+
+  * Release v1.1.14
+
+ -- git-echo <git-echo@moon-dragon.us>  Wed, 10 Jun 2026 10:02:44 -0500
+
 linux-patch-manager (1.1.13-1) unstable; urgency=low
 
   * Release v1.1.13

debian/control

@@ -1,5 +1,5 @@
 Package: linux-patch-manager
-Version: 1.1.13-1
+Version: 1.1.14-1
 Architecture: amd64
 Maintainer: Moon Dragon <echo@moon-dragon.us>
 Installed-Size: 45000

debian/postinst

@@ -277,6 +277,8 @@ generate_tls_certs() {
     if [[ ! -f "${ca_cert}" ]]; then
         info "Generating internal Certificate Authority (ECDSA P-256, 10-year validity)..."
         openssl ecparam -genkey -name prime256v1 -noout -out "${ca_key}"
+        # Convert SEC1 → PKCS#8 (the Rust pm-ca crate only parses PKCS#8).
+        openssl pkcs8 -topk8 -nocrypt -in "${ca_key}" -out "${ca_key}.tmp" && mv "${ca_key}.tmp" "${ca_key}"
         openssl req -new -x509 -key "${ca_key}" -out "${ca_cert}" \
             -days 3650 \
             -subj "/CN=Patch Manager Root CA/O=Patch Manager" \