add -badsig option to corrupt CRL signatures for testing too