feat: tedge cert create-key command

[Bravo555]

TODO

• handle all supported keys (EC 256/384, RSA 2048/3072/4096)
• allow selecting token, key label, key type and size using command line arguments
• write a test to maintain compatibility with 1.5.1
• how to switch to using the new key
• show more information after key is created
• test failure modes
• see if we can remove added dependencies
• cleanup

Proposed changes

Implements a tedge cert create-key command that can be used to create a private key on a PKCS11 token without additional tools.

Types of changes

• Bugfix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Improvement (general improvements like code refactoring that doesn't explicitly fix a bug or add any new functionality)
• Documentation Update (if none of the other choices apply)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)

Paste Link to the issue

#3665

Checklist

• I have read the CONTRIBUTING doc
• I have signed the CLA (in all commits with git commit -s. You can activate automatic signing by running just prepare-dev once)
• I ran just format as mentioned in CODING_GUIDELINES
• I used just check as mentioned in CODING_GUIDELINES
• I have added tests that prove my fix is effective or that my feature works
• I have added necessary documentation (if appropriate)

Further comments

[codecov]

Codecov Report

Attention: Patch coverage is 8.73016% with 115 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
...ates/extensions/tedge-p11-server/src/pkcs11/mod.rs	0.00%	64 Missing ⚠️
crates/extensions/tedge-p11-server/src/client.rs	36.66%	12 Missing and 7 partials ⚠️
...rates/core/tedge/src/cli/certificate/create_key.rs	0.00%	16 Missing ⚠️
crates/extensions/tedge-p11-server/src/server.rs	0.00%	14 Missing ⚠️
crates/core/tedge/src/cli/certificate/cli.rs	0.00%	1 Missing ⚠️
crates/extensions/tedge-p11-server/src/service.rs	0.00%	1 Missing ⚠️

📢 Thoughts on this report? Let us know!

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[github-actions]

Robot Results

✅ Passed	❌ Failed	⏭️ Skipped	Total	Pass %	⏱️ Duration
664	2	3	666	99.70	1h49m22.68817s

Failed Tests

Name	Message	⏱️ Duration	Suite
Remote access session is independent from mapper (when using socket activation)	Failed to connect via remote access. stdout: <<EOT EOT stderr <<EOT Starting external command on 3020085491 (https://qaenvironment.eu-latest.cumulocity.com) Bad packet length 1397966893. ssh_dispatch_run_fatal: Connection to 127.0.0.1 port 46547: message authentication code incorrect Duration: 1.326s 2025-07-15T11:24:46.574Z ERROR commandError: exit status 255 EOT	18.725 s	Test Remote Access
Can create a private key on the PKCS11 token and download new cert from c8y	'Certificate request self-signature verify failure ' does not contain 'Certificate request self-signature verify OK'	2.871 s	Private Key Storage