New test: getcert request/resubmit/rekey
Add a test that uses getcert with its wait flags to let the session
daemon actually run everything using the local signer. After each
operation completes, check that we have a key and a certificate, that
the certificate (and only the certificate) is changed after a resubmit,
and that both the key and certificate are changed after a rekey.