replace openssl platform identity CA #326
Description
the certs generated are defined in rfd 303
permslip already has such a mechanism that was prototyped here but I think the branch got deleted so we should crib from permslip
We've gotta be able to oks ca init such a CA which requires bootstrapping whatever persistent metadata we need. The current implementation does so for an openssl ca but whether or not we should maintain backward compatibility is an open question.