Need endpoints for fleet admin to manage TLS certificates for other silos

[askfongjojo]

Customer reports that the fleet admin is unable to update the TLS certificates of silos in which he isn't an admin. It is an awkward experience because he owns the wildcard cert and can use it for new silos. It's a reasonable expectation for the fleet admin to have CRUD endpoint like /system/silos/{silo}/certificate.

[david-crespo]

Note that the raw permissions for this already appear to be in place.

https://github.com/oxidecomputer/omicron/blob/c5ed4de5cd2b667cc4b46520e19bc036da8d63ab/nexus/auth/src/authz/omicron.polar#L438-L454

[askfongjojo]

It'll also be great if we can have the API update all silo certs as an option. It's probably an anti-pattern but will be a much more ergonomic way of handling cert rotation.