Fix web UI download links for CA certs, SSH CA pubkey, and KRL

Templates linked to /v1/ API server routes which don't exist on the
web server (separate binary). Add web server handlers that fetch data
via gRPC and serve the downloads directly.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

internal/webserver/sshca.go

@@ -40,6 +40,44 @@ func (ws *WebServer) handleSSHCA(w http.ResponseWriter, r *http.Request) {
 	ws.renderTemplate(w, "sshca.html", data)
 }
 
+func (ws *WebServer) handleSSHCADownload(w http.ResponseWriter, r *http.Request) {
+	token := extractCookie(r)
+	mountName, err := ws.findSSHCAMount(r, token)
+	if err != nil {
+		http.Error(w, "no SSH CA engine mounted", http.StatusNotFound)
+		return
+	}
+
+	pubkey, err := ws.vault.GetSSHCAPublicKey(r.Context(), mountName)
+	if err != nil || pubkey == nil {
+		http.Error(w, "CA public key not found", http.StatusNotFound)
+		return
+	}
+
+	w.Header().Set("Content-Type", "text/plain")
+	w.Header().Set("Content-Disposition", "attachment; filename=ca.pub")
+	_, _ = w.Write([]byte(pubkey.PublicKey)) //nolint:gosec
+}
+
+func (ws *WebServer) handleSSHCAKRLDownload(w http.ResponseWriter, r *http.Request) {
+	token := extractCookie(r)
+	mountName, err := ws.findSSHCAMount(r, token)
+	if err != nil {
+		http.Error(w, "no SSH CA engine mounted", http.StatusNotFound)
+		return
+	}
+
+	krl, err := ws.vault.GetSSHCAKRL(r.Context(), mountName)
+	if err != nil {
+		http.Error(w, "KRL not found", http.StatusNotFound)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/octet-stream")
+	w.Header().Set("Content-Disposition", "attachment; filename=krl.bin")
+	_, _ = w.Write(krl) //nolint:gosec
+}
+
 func (ws *WebServer) handleSSHCASignUser(w http.ResponseWriter, r *http.Request) {
 	info := tokenInfoFromContext(r.Context())
 	token := extractCookie(r)