Add support for setting pathlen on CA certificates

[agy]

By default when certstrap initializes a CA certificate it sets the
pathlen X509v3 basic constraint to zero (0). This is correct if the CA
will not be used in a certificate chain which includes intermediate
certificates.

Add a parameter to certstrap init to allow a user to override the
pathlen constraint if they know that their CA will be used with
intermediate certificates. By default the value is set to zero, leaving
the behaviour the same as before this change if the parameter isn't
overridden.

c.f. https://tools.ietf.org/html/rfc5280#section-4.2.1.9

Example usage:

$ certstrap init -cn foo.example.com
[...]
$ openssl x509 -noout -text -in out/foo.example.com.crt
[...]
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0
[...]

$ certstrap init -cn bar.example.com --path-length 1
[...]
$ openssl x509 -noout -text -in out/bar.example.com.crt
[...]
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:1
[...]

Fixes: #78

[CLAassistant]

All committers have signed the CLA.

[MichaelViveros]

Not sure what the status of this is but just wanted to say thanks @agy! I'm working on a blog post about testing out mTLS locally with an intermediate CA and I was able to get it all working thanks to you.

[mcpherrinm]

This looks fine to me but I'm not really working on this codebase anymore so I'll see if anyone else is available to merge it.

[jtribble]

Thanks for the fix @agy—I ran into the same issue!