Increase flexibility of `step-ca:hsm` docker image

[udf2457]

If my understanding of the internals of the step-ca:hsm docker image is correct, it is not possible to use it in a scenario where you want to use if as an intermediate CA, i.e. the root if offline and step-ca:hsm needs to generate a CSR (based on key in TPM) to send to the root.

It would be nice if step-ca:hsm could be made more flexible to accomodate this use-case which I imagine is not uncommon. 😉