CreateCertificate now checks the resulting signature as of Go 1.16+.
This was confusing our unit test for invalid dehydrated certs, which was
expecting to need to verify the cert after the cert was created.
This avoids tying the ncdns repo to a specific Go version; we can maintain
separate branches of the x509-signature-splice repo per Go version with
much less hassle.