Toolchain support for login certificate handling
Login certificates, as of 2015-03-25, are defined to have three properties:
- the DN is of the form "PN: $NAME/Login" (barring whitespace)
- the subjectAltName->email extension contains the Microsoft UPN value of the user
- the DFN certificate profile should be UserSignAndLogin
A toolchain to verify/enforce the latter property is desirable.