Lightweight CAs: add ability to configure CRLs for lightweight CAs

[Bob131]

(A duplicate of #2186, as I'm not able to re-open that issue)

The inability to generate CRLs for sub-CAs is a bit of a problem for my use case. I'm attempting to migrate an ad-hoc CA for issuing VPN client certs to FreeIPA. Rotating credentials is a bit of a headache, so the current setup issues long-lived certificates and relies on CRLs to manage access. The plan was to have VPN certificates issued by a sub-CA, but the lack of support for issuing CRLs containing revoked sub-CA-issued certificates presents a problem.

[fmarco76]

@Bob131 this is something to implement but it will require time since there are higher priority issues for the moment. As workaround for your use case, have you considered to deploy a full subordinate CA instead of Lightweight? It will require a separate instance but should provide all you need.

[Bob131]

Of course. I wasn't expecting a quick turnaround, I was just making sure a ticket about this stays open.

I hadn't considered running a full sub-CA, and it looks like it might do the trick. Thank you for your suggestion!