feat: Support multiple active CAs in Web exports

[codingllama]

Add support for exporting multiple active CAs via the "format=zip" param.

• If a single active CA exists the behavior is the same as before
• If multiple active CAs exist the error message is changed to refer to the "format=zip" param
• Any number of active CAs may be exported using "format=zip"

Error before this PR:

GET /auth/export?type=tls-user

"export returned 2 authorities, expected exactly one"

After this PR:

GET /auth/export?type=tls-user

"found 2 authorities to export, use format=zip to export all"

If format=zip is supplied (for example, "/auth/export?type=tls-user&format=zip") then a zip file called "Teleport_CA.zip" is returned as an attachment. The file contains various "ca$i.cer" files, one for each exported CA, in whatever format it would have as a single-file export.

Follow up from #51189. Sibling PR to #51298.

#35444

Changelog: Added support for multiple active CAs in the /auth/export endpoint

[codingllama]

Branched from #51189.

• Add client-side functions to export multiple authorities #51189

[codingllama]

The PR is smaller than it seems, as there's a big move from the larger apiserver{,_test}.go files to ca_export{,_test}.go files. Because of that I suggest reviewing commit-by-commit.

• The move commit is a plain move without changes (768da03)
• The test refactor commit doesn't change any functionality (1cfebdc)

[codingllama]

Takes inspiration from Gavin's #35754, although it has my own spin on it.

[zmb3]

Do we have a way to put multiple DER-encoded certs in the zip file for windows, or will the zip always use PEM?

The use case that led to this issue was exporting the windows CA when using HSMs. In order to import the CA on the windows side it needs to be DER.

[codingllama]

Do we have a way to put multiple DER-encoded certs in the zip file for windows, or will the zip always use PEM?

The use case that led to this issue was exporting the windows CA when using HSMs. In order to import the CA on the windows side it needs to be DER.

I used type=tls-user as an example, but it works the same for type=windows - you'd get the same zip as a result, but the underlying .cer files are DER and not PEM.

[codingllama]

Friendly ping @mvbrock @probakowski @GavinFrazar.

[codingllama]

Rebased onto master, no changes.

[codingllama]

Thanks, Zac!

[codingllama]

Rebased onto master so I can pull #51298 (the tctl PR) and add a final cleanup commit - 9e1b309. PTAL.

[codingllama]

Friendly ping @mvbrock @probakowski @GavinFrazar ?

[public-teleport-github-review-bot]

@codingllama See the table below for backport results.

Branch	Result
branch/v15	Failed
branch/v16	Failed
branch/v17	Failed