In 'x509ca check', add an option to pass the CA certificate so that the tool can verify that it actually signed the service certificate (used to detect CA changes).