Support sub-CA OCSP signing delegation

[pki-bot]

This issue was migrated from Pagure Issue #1337. Originally filed by ftweedal (@frasertweedale) on 2015-04-08 09:57:50:

• Assigned to nobody

---

In the initial implementation, lightweight sub-CAs sign OCSP
responses with the CA signing certificate.

It should be possible to configure (at creation time) a lightweight
sub-CA to delegate OCSP signing to a dedicated, subordinate OCSP
signing certificate. This will involve:

• update API and CLI to have option to specify whether OCSP delegation
  should be used, and register the choice with the subCA config.

• generating an additional keypair for OCSP signing and ensure the private
  key is replicated among replica

• create request and sign the OCSP signing certificate

• update OCSP responder and/or CertificateAuthority class to, for subCAs using
  OCSP delegation, instantiate a SigningUnit for OCSP and use it when signing
  OCSP requests.

[pki-bot]

Comment from ftweedal (@frasertweedale) at 2017-02-27 14:09:32

Metadata Update from @frasertweedale:

• Issue set to the milestone: UNTRIAGED