Allow specifying duration in units of days or years
Use UTCTime for dates before 2050

This is required to strictly conform to RFC 5280. It seemed that
the trade-off was potentially breaking support for old implementations,
but it seems that even modern LibreSSL rejects dates <2050 using
the GeneralizedTime format (though I believe this is non-conforming).
Use gmtime_r to convert to broken-down time

gmtime is not thread-safe, and this may be used in an application
using threads. Though gmtime_r is not in C99, it is in POSIX and
in the current C23 draft.
Switch order of command-line arguments and make subject optional
dn_string: Allow empty DN
Add pkg-config file
Add missing dependencies to install target

I removed these earlier... must've been confused. Only the static
files (*.[13] *.h) are unnecessary.
Set CFLAGS and LDLIBS before including config.mk
Use tag==0 to indicate pre-encoded item contents

This removes the need for x509cert_raw_encoder.
Set alt encoder to NULL

This array is previously uninitialized, and we want to use the
default encoder.
dn_string: Initialize `space` in case attribute value is empty
dn_string: Cast is*() argument to unsigned char

Otherwise, multibyte characters may end up as negative when converted
to int, and these functions have undefined behavior with negative
argument (that is not EOF).
dn_string: Set NULL encoder for RDN values
Allocate 1 extra byte for PEM null terminator

The length returned by br_pem_encode does not include the nul
terminator that it writes. Even though we write with fwrite so don't
need it, we need to make sure the buffer is large enough.
der: Include inner.h for some prototypes
Write xmallocarray in terms of xmalloc
README: Add build status
Update comment
Remove const from some pointer types in structures

It is often more convenient if these are not const during their