CLI: Maybe support key generation via OpenSSL provider

Would be nice to support the generation of the new to-be-certified key pair via OpenSSL providers.
Otherwise, if one has been specified and the `-newkeytype` option is given, better warn that  the option does not work with the provider.