Separate local validity lifetime's from selfsign's
When generating the local signer's CA certificate, consult the "local"
section of certmonger.conf to determine a validity lifetime, using the
value in the "selfsign" section as a fallback, instead of always just
using the "selfsign" section's value. This allows them to be set to
different values, though at present they keep the same default settings.