Fix missing gRPC interceptor registrations for RevokeCert, DeleteCert, SignCSR

RevokeCert and DeleteCert were not registered in sealRequired, authRequired,
or adminRequired method sets, so the auth interceptor never ran for those
calls and CallerInfo arrived as nil, producing "authentication required".
SignCSR had the same gap in sealRequired and authRequired.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

internal/webserver/routes.go

@@ -479,6 +479,12 @@ func (ws *WebServer) handleIssuerDetail(w http.ResponseWriter, r *http.Request)
 }
 
 func (ws *WebServer) handleIssueCert(w http.ResponseWriter, r *http.Request) {
+	// Disable the server-wide write deadline for this handler: it streams a
+	// tgz response only after several serial gRPC calls, which can easily
+	// consume the 30 s WriteTimeout before we start writing.  We set our own
+	// 60 s deadline just before the write phase below.
+	_ = http.NewResponseController(w).SetWriteDeadline(time.Time{})
+
 	info := tokenInfoFromContext(r.Context())
 	token := extractCookie(r)