FIXME autosign? should probably accept both hostnames and IP addresses
our client sends us a csr, and we either store it for later signing, or we sign it right away
[Validate]