Add flag to take subject/SANs from existing cert

[mcpherrinm]

Sometimes you've already got a crt/key already, and you just want it reissued.

We've got a --key for certstrap request-cert to use an existing cert, maybe we should have a --cert too.

The exact semantics are a little tricky. Like, should we copy the extended-validation OIDs? (Generally, I think "no" because the CA should provide those). At very least we should take the normal subject stuff (CN, O, OU, L, ...) and SANs.