replace openssl NXP verified boot CA #327
Description
the certs generated are defined in rfd 286 and NXP docs
We've gotta be able to oks ca init such a CA which requires bootstrapping whatever persistent metadata we need. The current implementation does so for an openssl ca but whether or not we should maintain backward compatibility is an open question.
This is related to #326. Taking these on as separate tasks may make for more work since the two implementations are entangled.