Subcommand to create SSH CA host & user root certificates & keys

[mmalone]

We don't currently have any way to create a host / user root certificate for SSH. You'd need this to rotate your root certificate, or if you run step ca init without --ssh and want to enable SSH later. Or if you want to use step to generate SSH CA artifacts, but not use step-ca.

Before any engineering work is done we need to figure out where to fit this into the CLI. We do this for X.509 via step certificate create with the --profile flag. For SSH, the step ssh certificate subcommand feels like the right place for this. But it's already a pretty complicated subcommand, and this would add a lot more complexity. Maybe we need a different subcommand.

Relatedly, we may want a more streamlined subcommand to enable SSH for an existing step-ca installation that generates both root certs (host & client) and makes the appropriate CA config changes for you (like step ca provisioner add).

[maraino]

@mmalone As a "root" certificate for SSH is just a private key, step crypto keypair should be good, we will need to add some docs for that.

[mmalone]

Ah, of course. That makes sense. We might still want to add an alias under the step ssh command group for ergonomics if people aren't finding this.

For now let's document. We should probably note this somewhere under step help ssh.