Feat x509 validity

[alvidofaisal]

Name of feature:

Enable --cert-not-before and --cert-not-after for X.509 certificate tokens

Pain or issue this feature alleviates:

Currently, the step ca token command only supports the --cert-not-before and --cert-not-after flags for SSH certificates. This PR extends this functionality to X.509 certificates, allowing you to enforce specific validity periods for X.509 certificate tokens directly at the time of token creation. This is useful for scenarios where one-time tokens are issued to third parties to enroll for a certificate, and a shorter certificate runtime than the provisioner's maximum is desired.

Why is this important to the project (if not answered above):

This enhancement provides more granular control over certificate validity for X.509 tokens, improving security and flexibility in certificate issuance workflows.

Is there documentation on how to use this feature? If so, where?

The command-line help for step ca token will reflect this change. The public documentation on smallstep.com (specifically https://smallstep.com/docs/step-cli/reference/ca/token/#options) will need to be updated to remove the SSH-only restriction for these flags. (This has been noted as a separate task).

In what environments or workflows is this feature supported?

This feature is supported wherever step ca token is used to generate tokens for X.509 certificates, in both online and offline CA modes.

In what environments or workflows is this feature explicitly NOT supported (if any)?

There are no environments or workflows where this feature is explicitly not supported, beyond the general requirements for using the step ca token command.

Supporting links/other PRs/issues:

• Fixes Parameters --cert-not-after and --cert-not-before of step ca token for non-ssh certificates #1410

💔Thank you!