Allow admin logins to autoinstalled sites via certificates

[geofft]

Occasionally people forget the password for their WordPress, MediaWiki, whatever and need admin access. Independent of full certificate-based authentication, it would be useful if, say, we pre-configured an admin account that you could get to with the certificates of the person who did the autoinstall. At that point, you could reset other accounts' passwords from the web app's own admin interface.

For bonus points, make it allow the certificates of anyone who's currently a locker admin, by using admof in some clever way.

This is mostly inspired by ​RT #2655657.