feat: M12 — sub-CA mode, ACME DNS-01 challenges, step-ca issuer connector

Sub-CA mode: Local CA loads CA cert+key from disk (CERTCTL_CA_CERT_PATH +
CERTCTL_CA_KEY_PATH) to operate as subordinate CA under enterprise root
(e.g., ADCS). Supports RSA, ECDSA, PKCS#8 keys. Validates IsCA and
KeyUsageCertSign. Falls back to self-signed when paths unset.

DNS-01 challenges: Pluggable DNSSolver interface with script-based hook
implementation. User-provided scripts create/cleanup _acme-challenge TXT
records for any DNS provider. Configurable propagation wait. Enables
wildcard certs and non-HTTP-accessible hosts.

step-ca connector: Smallstep private CA via native /sign API with JWK
provisioner auth. Issuance, renewal, revocation. Registered as iss-stepca.

23 new tests across 3 files. CI test path widened to ./internal/connector/issuer/...

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

migrations/seed_demo.sql

@@ -32,6 +32,7 @@ ON CONFLICT (id) DO NOTHING;
 INSERT INTO issuers (id, name, type, config, enabled, created_at, updated_at) VALUES
   ('iss-local',    'Local Dev CA',          'local',      '{"ca_common_name": "CertCtl Demo CA", "validity_days": 90}', true,  NOW(), NOW()),
   ('iss-acme-le',  'Let''s Encrypt Staging', 'acme',      '{"directory_url": "https://acme-staging-v02.api.letsencrypt.org/directory", "email": "admin@example.com"}', true,  NOW(), NOW()),
+  ('iss-stepca',   'step-ca Internal',      'stepca',     '{"ca_url": "https://ca.internal:9000", "provisioner_name": "certctl", "validity_days": 90}', false, NOW(), NOW()),
   ('iss-digicert', 'DigiCert (disabled)',    'generic_ca', '{"api_url": "https://api.digicert.com", "api_key": "REDACTED"}', false, NOW(), NOW())
 ON CONFLICT (id) DO NOTHING;