Changes
- Allow 'y' or 'd' suffix to duration to specify years or days, and
'-1' to specify no expiration. - Encode dates earlier than 2050 as UTCTime as required by RFC 5280,
since libressl rejects certificates using GeneralizedTime for
these dates. - Use gmtime_r for thread-safety (it is accepted for C23).