Enhance clab tools cert sign to generate node certificates for topology nodes

[Copilot]

This PR adds topology-based certificate generation to the clab tools cert sign command, allowing users to generate certificates for all nodes in a topology file that have certificate.issue=true configured.

Problem

Previously, the clab tools cert sign command could only generate individual certificates by manually specifying certificate parameters. Users had to run the command multiple times for each node in their topology, manually providing hosts, common names, and other certificate attributes.

Solution

Added a new --topology flag that:

• Loads a topology file and processes all nodes automatically
• Generates certificates only for nodes with certificate.issue=true
• Creates proper certificate Subject Alternative Names (SANs) including:
  • Node short name (e.g., router1)
  • Node long name with lab prefix (e.g., clab-mylab-router1)
  • Topology domain name (e.g., router1.mylab.io)
  • Custom SANs from node configuration
  • Management IPv4/IPv6 addresses
• Stores certificates in the standard topology directory structure (.tls/nodename/)
• Supports certificate overwriting for regeneration scenarios
• Respects node-specific certificate settings (key size, validity duration)

Usage

# Generate certificates for all nodes in topology with certificate.issue=true
clab tools cert sign --topology mylab.yml --ca-cert /path/to/ca.pem --ca-key /path/to/ca.key

# Works with existing CA auto-discovery from topology directory
clab tools cert sign --topology mylab.yml

# Original single certificate generation unchanged
clab tools cert sign --cn test.example.com --hosts test.example.com

Example

Given a topology file:

name: mylab
topology:
  nodes:
    router1:
      kind: nokia_srlinux
      mgmt-ipv4: 172.20.20.10
      certificate:
        issue: true
        sans:
          - router1.lab.example.com
    router2:
      kind: nokia_srlinux
      certificate:
        issue: false  # Skipped

The command generates a certificate for router1 with SANs: router1, clab-mylab-router1, router1.mylab.io, router1.lab.example.com, 172.20.20.10, and skips router2.

Implementation Details

• Maintains full backward compatibility with existing single-certificate functionality
• Leverages existing topology loading and certificate generation infrastructure
• Uses the same certificate storage patterns as node deployment
• Includes comprehensive error handling and logging
• All existing tests continue to pass

Fixes #[issue_number]

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Enhance clab tools cert sign to (re)generate node certs for topology nodes</issue_title>
<issue_description>Enhance clab tools cert sign to (re)generate node certs for topology nodes by providing path to the topology file.

It should rewrite existing node key/certs if they are present.</issue_description>

Comments on the Issue (you are @copilot in this section)

Fixes #1823

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.