Support HSM-style certificate stores

[mithrandi]

This would require enhancing the ICertificateStore interface (IOpaqueCertificateStore, maybe?); instead of txacme generating the private key and then signing the CSR with it, txacme would need to hand the CSR over to the certificate store for signing.

This is necessary for supporting HSMs, or HSM-like certificate stores (many software stores behave like an HSM in that access to the private key is restricted by policy, even though it obviously is still possible to extract the key).