feat: M12 — sub-CA mode, ACME DNS-01 challenges, step-ca issuer connector

Sub-CA mode: Local CA loads CA cert+key from disk (CERTCTL_CA_CERT_PATH +
CERTCTL_CA_KEY_PATH) to operate as subordinate CA under enterprise root
(e.g., ADCS). Supports RSA, ECDSA, PKCS#8 keys. Validates IsCA and
KeyUsageCertSign. Falls back to self-signed when paths unset.

DNS-01 challenges: Pluggable DNSSolver interface with script-based hook
implementation. User-provided scripts create/cleanup _acme-challenge TXT
records for any DNS provider. Configurable propagation wait. Enables
wildcard certs and non-HTTP-accessible hosts.

step-ca connector: Smallstep private CA via native /sign API with JWK
provisioner auth. Issuance, renewal, revocation. Registered as iss-stepca.

23 new tests across 3 files. CI test path widened to ./internal/connector/issuer/...

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

docs/architecture.md

@@ -42,7 +42,7 @@ flowchart TB
     subgraph "Issuer Backends"
         CA1["Local CA\n(crypto/x509)"]
         CA2["ACME\n(Let's Encrypt)"]
-        CA3["step-ca\n(planned)"]
+        CA3["step-ca\n(/sign API)"]
         CA4["OpenSSL / Custom CA\n(planned)"]
         CA5["ADCS\n(planned)"]
         CA6["Vault PKI\n(planned)"]
@@ -364,7 +364,7 @@ flowchart TB
         II["IssuerConnector Interface\nIssueCertificate() | RenewCertificate()\nRevokeCertificate() | GetOrderStatus()"]
         II --> LC["Local CA"]
         II --> ACME["ACME v2"]
-        II --> SC["step-ca (planned)"]
+        II --> SC["step-ca"]
         II --> OC["OpenSSL / Custom CA (planned)"]
         II --> AD["ADCS (planned)"]
         II --> VP["Vault PKI (planned)"]