Fix #20594 : Feature - 'consul tls cert renew' command

[vijayraghav-io]

Description

Add new cli cmd to be able to renew existing TLS Server Certificate -
consul tls cert renew

fixes #20594

The approach used to renew existing TLS certificate -

1. New Public Key (cert file) is created with same (existing) input private key.
2. The same CA used to generate initial cert is used to sign. CA file path to be input.

Testing & Reproduction steps

1. Create CA with cmd consul tls ca create
2. Create Cert with cmd consul tls cert create -server
3. Renew Certificate created in step 2 with same private key created in step 2 - with new cmd - consul tls cert renew -server -existingkey=<key file created in step2>
4. Replace cert file created in step 2 with new (renewed) cert file created in step3.
5. This will avert having to distribute a new trust chain to all clients and avoid a service disruption to clients.

Links

PR Checklist

• updated test coverage
• external facing docs updated
• appropriate backport labels added
• not a security concern

[vijayraghav-io]

Hi @david-yu,
Kindly review this PR.

[vijayraghav-io]

Did one more round of self review, thought of adding an improvement -
Ideally for cert renew command the args like domain, dc, server/client/cli,.. should not be required to be input. These should be read from existing certificate. So added arg -existingcert and removed redundant args.
The updated arg list is -
-existingcert
-existingkey
-ca
-key
-days
-dnsnames
-ipaddresses

-existingcert and -existingkey are mandatory. Paths to existing cert.pem and key.pem files that have to be renewed.
-ca and -key -> Paths to CA cert and key files
-days defaults to 365
-dnsnames and -ipaddresses -> These are also read from existing cert, the additional dnsnames and ipaddresses if any can be added here while renewing.

@reskin89

[github-actions]

This pull request has been automatically flagged for inactivity because it has not been acted upon in the last 60 days. It will be closed if no new activity occurs in the next 30 days. Please feel free to re-open to resurrect the change if you feel this has happened by mistake. Thank you for your contributions.

[vijayraghav-io]

Reminding to review this PR

[github-actions]

This pull request has been automatically flagged for inactivity because it has not been acted upon in the last 60 days. It will be closed if no new activity occurs in the next 30 days. Please feel free to re-open to resurrect the change if you feel this has happened by mistake. Thank you for your contributions.

[github-actions]

Closing due to inactivity. If you feel this was a mistake or you wish to re-open at any time in the future, please leave a comment and it will be re-surfaced for the maintainers to review.

[reskin89]

Bump