kx509: Create certs for principals with slashes

kx509 fails to create certs for principals with slashes in them.  For
example:

    client% kinit foo/admin
    foo/admin@EXAMPLE.COM's Password:
    client% kx509
    Timed out waiting on KCA

The KCA reports: "Principal is not a user."  However, there is a use
case set out in this post:

https://thestaticvoid.com/post/2012/10/25/protecting-puppet-with-kerberos/

that would create a kx509 cert for a host principal for authenticating
against a secure HTTP service.  This commit modifies the certificate
creation code to allow principals with slashes in them.

kdc/kx509.c

@@ -143,22 +143,26 @@ build_certificate(krb5_context context,
 		  krb5_principal principal,
 		  krb5_data *certificate)
 {
+    char *name = NULL;
     hx509_ca_tbs tbs = NULL;
     hx509_env env = NULL;
     hx509_cert cert = NULL;
     hx509_cert signer = NULL;
     int ret;
 
-    if (krb5_principal_get_comp_string(context, principal, 1) != NULL) {
+    ret = krb5_unparse_name_flags(context, principal,
-	kdc_log(context, config, 0, "Principal is not a user");
+				  KRB5_PRINCIPAL_UNPARSE_NO_REALM,
-	return EINVAL;
+				  &name);
-    }
-
-    ret = hx509_env_add(context->hx509ctx, &env, "principal-name",
-			krb5_principal_get_comp_string(context, principal, 0));
     if (ret)
 	goto out;
 
+    ret = hx509_env_add(context->hx509ctx, &env, "principal-name",
+			name);
+    if (ret)
+	goto out;
+
+    krb5_xfree(name);
+
     {
 	hx509_certs certs;
 	hx509_query *q;
@@ -262,6 +266,8 @@ build_certificate(krb5_context context,
 
     return 0;
 out:
+    if (name)
+	krb5_xfree(name);
     if (env)
 	hx509_env_free(&env);
     if (tbs)