Add a note about unable to self-sign

And remove some trailing whitespace from a line in sign_certd

Add a note about unable to self-sign

And remove some trailing whitespace from a line in sign_certd

Fix parse error when using key fingerprints

The last release broke using private key fingerprints. This change fixes
that up so that we properly delineate fingerprints and kms urls and
handle them each appropriately.

Introducing Google Cloud KMS signing

If you're a google cloud user you can root your CA in one of their keys
instead of mucking around with keys in ssh-agent.

I also ported us to go modules with this change.

Build enhancements

This version includes changes to the Makefile and docker building environment.
We also move to go 1.9 and the Docker containers are based on ubuntu 16.04
instead of 15.10

Resolves #2 "Support binding to localhost"

Introduces user-configured listen address and defaults to a more secure
listen address of `127.0.0.1:8080`.

Add ability to inject critical options into certs

You may now specify CriticalOptions in sign_certd's config on a
per-environment basis. This allows you to write a policy that says all
certs against this environment will have exactly these critical options.
You can ensure that certs always launch users into restricted shells or
from a defined range of source IPs as supported by sshd.

Log the base32 request id when auto signing

Oops. Was logging the raw bytes instead which led to ugly slack
messages.

Fix go vet errors related to string formats

Stupid programmer errors.

Add tool for generating KMS-encrypted CA keys

Previously you had to run ssh-keygen temporarily storing the output in a
file before using this utility to encrypt the key. Now you can simply
have this tool generate the key and send the private directly to KMS for
encryption. This should be both simpler and more secure.