Parent task to track additional work required for cfssl
- backup private key
- add certs to /etc/ssl/certs
- add profile::pki::client to profile::base
- create check for ocsp and crl
- update cfssl-cert so it can clean out expired certificates
- Renew certificates based on the 1/2 time or some other relative value instead of a harcoded minimum
- investigate switching ganati cluster certificates to cfssl
- create a real pki.discovery address using active active