It is going to be somewhat common for us to generate certificates for various purposes, including (but not limited to) self-signing and CSRs. While it is possible to assemble a certificate by hand using the DER encoding API, it would be nicer to have a certificate builder API which wraps the DER encoder and makes this process easier. It should adhere to all certificate generation rules and recommendations found in RFCs and elsewhere.