Always verify certificates before use

[mmalone]

We should consider making commands like step certificate key, step crypto jwe encrypt --key, and step crypto jwt verify --key that take an X.509 certificate also verify that certificate before use. For the latter two commands we may also want to check the key use attribute(s) in the certificate and ensure they're appropriate for the command being run.

This seems like the right default in terms of safety/misuse prevention, although the risk of serious danger seems minimal (particular for the key use bit). The downside is that it will add more complexity: we'll probably need to add --root(s) and --insecure flags to set the CA cert and disable verification, respectively. We'd probably also need --subtle to disable the key use check. And I'm pretty sure our CA doesn't include the necessary key use(s) for these operations in leaf certificates. All of this could confuse users.

I'm not sure what the right answer is, but wanted to capture some thoughts for now.