Currently the CA certificates create by secret-operator are valid for two years and signed service certificates for 1 day. We should improve the lifecycle handling for TLS certificates to ensure that new certificates are minted and rotated in when required. We should also generate metrics or alerts for certificate expiration, especially for the CA.
### Must have
- [x] New CA certificate should be generated some time in advance of the current one expiring
- [x] After a new CA is provisioned, old CA should still be used for Some Time(tm) to ensure that old peers will trust them (at least until those peers' own certs expire)
- [x] All valid CA certificates must be added to truststores (ca.crt and truststore.p12)
### Nice to have
- [ ] Clean up expired CA certificates?
Currently the CA certificates create by secret-operator are valid for two years and signed service certificates for 1 day. We should improve the lifecycle handling for TLS certificates to ensure that new certificates are minted and rotated in when required. We should also generate metrics or alerts for certificate expiration, especially for the CA.