Add integration for X.509 signing

Currently signstar only supports raw cryptographic signatures and OpenPGP signatures (after !19 (merged) is merged). For signing EFI binaries (e.g. shim, required for secure boot), we may require X.509 support, which should (also) be exposed in nethsm-cli and the standalone signing executable.