Make spki_der optional in /get-certificate requests, and fetch the unhashed SPKI from the bootstrap entry to construct the signatureless cert. This would be useful for testing, but probably not necessary for production.