avoid reinitializing NSS unnecessarily in CSR gen
Avoid reinitializing NSS unnecessarily when we're generating extensions
for inclusion in a CSR. In FIPS mode, apparently this invalidates
existing handles to private keys, which prevents us from signing CSRs.