Add --allow-authorization-extensions to puppet cert sign

In Scope

• Support a new flag in the "puppet cert sign" tool, "--allow-authorization-extensions"
• Determine if a cert given to "puppet cert sign" has any extensions under the puppet.1.3 OID arc
• Fail the signing unless the --allow-authorization-extensions flag is present
• Audit the cert-related tools in puppet to see if any need to be updated with respect to this work; ca, certificate, certificate-request, certificate-revocation-list. Hopefully they don't need to be updated.
• Update the internal signing policy in the ruby CA code to allow the new puppet.3 arc (in certificate_authority.rb:323 in puppet)

Out of Scope

• Worrying about any extensions other than those under puppet.1.3