tls: allow generating TLS key pairs for use outside of libp2p

[peterargue]

We have a use case where we'd like to authenticate a node's gRPC interface using the same identity as the node's libp2p interface. This is currently possible by extracting the key pair from the Identity struct generated in crypto.go, however, the default certificate generated does not contain all of the fields required by 3rd party TLS implementations to verify the peer. See libp2p/go-libp2p-tls#97

Given this is not a standard use case, it may not make sense to build in special support for custom certificate options. However, we could implement that easily if the keyToCertificate method was exported along with a new method that returns the signed pkix.Extension.

[marten-seemann]

We have a use case where we'd like to authenticate a node's gRPC interface using the same identity as the node's libp2p interface.

Why don't you just run gRPC over a libp2p stream?

[peterargue]

we chose to not use libp2p streams because our gRPC interface is public and

1. we don't want to require all gRPC clients to use libp2p libraries
2. we want to allow node operators to use off the shelf services for TLS termination (e.g. a sidecar proxy that terminates ssl and handles rate limiting)