Add a mostly-working "local" signer
Split the parts of the OpenSSL self-signer out and teach them to use a
signer identified by a signing certificate and a different key to sign
the certificate.
Use that function to sign a locally-generated toy CA certificate.