Allow inclusion of a CSR in new-order requests

[bifurcation]

In #342, we moved the CSR from the new-order request to a "finalize" request. In making that change, we dropped support for certain legacy back-end APIs that require a CSR before issuing challenges. If we want to support those back-ends, we will need to re-enable sending CSR in new-order. It seems like there are basically three things to define here:

1. Add a flag in dictionary.meta to indicate that a CSR is required in new-order
2. Re-add "csr" as a field in the new-order request and order objects
3. Add an error code that indicates that a CSR was required in a new-order request

These features are cleanly enough separated that they can probably be handled in a small extension spec if there is a need for them.