ComputeHashAsSigner computes the bytes of the policy certificate as being an owner certificate.

SignAsOwner generates a signature using the owner's key, and fills the owner signature in the policy certificate signing request.

SignPolicyCertificateAsIssuer is called by PCAs after they have received the SPTs from the CT log servers.

SignRequestAsIssuer is called by the Policy CA.

VerifyIssuerConstraints verifies various constraints given by the issuer policy certificate and returns the first violated constraint, or nil if no constraints were violated.

VerifyIssuerSignature: used by domain owner, check whether CA signature is correct.

VerifyOwnerSignature verifies the owner's signature using the public key.