Split tor-gencert into "make cert" and "sign" portions
The only part of tor-gencert that wants to stay offline is the part that actually uses the master identity key to sign the certificate. All the rest of generating the cert could be done online.
If we made those changes, we would allow operators to leave their offline gencert setups unmaintained for a very very very long time, which would make it easier to keep master identity keys offline.