Self-service cert requests in Pony

[adehnert]

Ideally, our users could click a button in Pony and get a cert (eventually) issued, both for MIT and non-MIT certs. For both, we need #52 first -- Apache restarts are O(N*N) in number of vhosts on disk, which means we'd like a human approval process to keep the numbers down/controlled.

For MIT, I think that's it (though we shouldn't send the MITcert email until the hostname is actually approved). For non-MIT, we may want to think about how comfortable we are with a ~CSR-issuing oracle (even if only for names pointing at us) without any sort of rate-limiting. (For MIT, the hostname approval process implicitly ratelimits somewhat -- there's only, um, a bit under 2K <single-label>.mit.edu hostnames on scripts, it seems.)

(See also /mit/sipbzlog/scripts-by-instance/certs today.)