New client certs can be minted via the provided script, which is meant to be run on the postgres server (where the CA private key is conveniently deployed).
