Replace openssl certificate / CRL generation with the tool as used by
Let's Encrypt, storing the keys on SoftHSMv2, a simulated HSM (Hardware
Security Module).
Include migration of old setups where key files were also stored on
disk.
When in lockdown mode, only those domains can be used to request certificates for,
but it also only accepts email addresses in those domains. With this option in the
GUI it is now possible to still allow all public domains in contact addresses.
When generating a new Root CA certificate, show the key in the GUI and ask the user to
store it offline. When importing an existing CA make the root key optional.
When the private key is needed but we don't have it, ask the user to provide it. You
can now also create a CSR for the Issuer CA that can be signed by the offline Root CA.
