fn write_atomic(path: &Path, contents: &[u8]) -> Result<()>
Tempfile + rename so a crash mid-write doesn’t leave a half-written cert.