[master] Add `x509_v2` SSH wrapper, emulate `x509.certificate_managed` during `state.apply`

[lkubb]

What does this PR do?

• Adds wrapper functions for x509.create_certificate and x509.get_signing_policy
• Introduces a workaround for state modules not having wrappers for certificate_managed (essentially a very sophisticated Jinja macro) - certificates can now be managed via salt-ssh state.apply even when they are issued on a remote (this should also work for other salt-ssh minions from the roster as the CA, but it's hard to write tests for)
• Fixes a bug that meant passing encoding to file.managed via the x509_v2 state module was impossible (I don't think anyone uses this though)

What issues does this PR fix or reference?

Fixes: https://github.com/saltstack/salt/issues/65728 Fixes: https://github.com/saltstack/salt/issues/40943 (actually fixes the author's issue - the title asks for a different thing than is necessary)

Previous Behavior

• The x509_v2 modules could not request remotely signed certificates when run via salt-ssh

New Behavior

• Certificates on SSH minions can be managed, even when a different minion issues them and even statefully

Merge requirements satisfied?

• [x] Docs
• [x] Changelog
• [x] Tests written/updated

Commits signed with GPG?

Yes

[lkubb]

~~If this is going to be merged, I would advise to wait until https://github.com/saltstack/salt/pull/65838 has found its way into master and this has been rebased to avoid the maintainers having to deal with merge conflicts.~~

Rebased.