Optionally add service name to Custodia key DNs
    
    Lightweight CAs support introduces new service principals for
    Dogtag, with Custodia keys.  The current Custodia key creation uses
    a DN that contains only they key type and the hostname, so keys for
    multiple services on the same host cannot be created.
    
    Add the 'generate_keys' method to generate keys for a host or an
    arbitrary service.  When a service name is given, add the key
    entries in a nested container with RDN 'cn=<service name>'.  (The
    container is assumed to exist).
    
    This change does not affect searching because subtree search is
    used, filtering on the ipaKeyUsage and memberPrincipal attributes.
    
    Part of: https://fedorahosted.org/freeipa/ticket/4559
    
    Reviewed-By: Jan Cholasta <jcholast@redhat.com>