fix self-signing with OpenSSL in FIPS mode
Don't use X509_REQ_to_X509() to populate a new template certificate,
since that attempts to sign using MD5, which fails in FIPS mode. Just
allocate the X509 structure ourselves, and directly populate its
subject, issuer, and public key fields.