minimize certificate (use-case specific?)

Some specific use cases want a "minimal" certificate. For example, debian packaging workflows typically need a certificate only so far as that certificate can be known long-term to sign an upstream source release.

It would be nice if SOP could produce such a minimal certificate. I'm not sure whether that would be a new subcommand, or perhaps some sort of filtering argument to sop merge-certs