Use ceremony tool for generating keys and certs; store keys on SoftHSM

Replace openssl certificate / CRL generation with the tool as used by
Let's Encrypt, storing the keys on SoftHSMv2, a simulated HSM (Hardware
Security Module).
Include migration of old setups where key files were also stored on
disk.

patch.sh

@@ -23,6 +23,10 @@ $SUDO patch -p1 < $cloneDir/patches/boulder-va_main.patch
 $SUDO patch -p1 < $cloneDir/patches/ca_ca.patch
 $SUDO patch -p1 < $cloneDir/patches/ca_ca_keytype_hack.patch
 $SUDO patch -p1 < $cloneDir/patches/ca_crl.patch
+$SUDO patch -p1 < $cloneDir/patches/ceremony_ecdsa.patch
+$SUDO patch -p1 < $cloneDir/patches/ceremony_key.patch
+$SUDO patch -p1 < $cloneDir/patches/ceremony_main.patch
+$SUDO patch -p1 < $cloneDir/patches/ceremony_rsa.patch
 $SUDO patch -p1 < $cloneDir/patches/cert-checker_main.patch
 $SUDO patch -p1 < $cloneDir/patches/cmd_config.patch
 $SUDO patch -p1 < $cloneDir/patches/config_duration.patch
@@ -50,6 +54,7 @@ $SUDO patch -p1 < $cloneDir/patches/ra_ra.patch
 $SUDO patch -p1 < $cloneDir/patches/ratelimit_rate-limits.patch
 $SUDO patch -p1 < $cloneDir/patches/ratelimits_names.patch
 $SUDO patch -p1 < $cloneDir/patches/remoteva_main.patch
+$SUDO patch -p1 < $cloneDir/patches/start.patch
 if [ "$SUDO" == "" ]; then
     # TODO: should include this into startservers.patch
     $SUDO patch -p1 < $cloneDir/build/tmp2.patch