Add mechanisms for CA key rotation
In normal operation, a CA may want to regularly issue a new CA key. A related case is when a CA key was compromised.
In both cases we need mechanisms to keep track of old versions of the CA key, and to publish revoked old CA certs (e.g. via WKD).
Edited by Heiko