Server embedded CriticalOptions

With this release a new feature is introduced: the ability to configure that the server embed certain CriticalOptions on any certificate for a given environment. This means that the owner of the server can require, for example, that all certs issued specify that they are only valid from certain IP addresses (perhaps your local network subnet or subnets) or that only a specific command may be run on the remote server (perhaps locking a user down to a restricted shell).