Add certificate revocation, deletion, and retrieval

Admins can now revoke or delete certificate records from the cert detail
page in the web UI. Revoked certificates display a [REVOKED] badge and
show revocation metadata (time and actor). Deletion redirects to the
issuer page.

The REST API gains three new authenticated endpoints that mirror the
gRPC surface:
  GET    /v1/ca/{mount}/cert/{serial}         (auth required)
  POST   /v1/ca/{mount}/cert/{serial}/revoke  (admin only)
  DELETE /v1/ca/{mount}/cert/{serial}         (admin only)

The CA engine stores revocation state (revoked, revoked_at, revoked_by)
directly in the existing CertRecord barrier entry. The proto CertRecord
message is extended with the same three fields (field numbers 10–12).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

internal/webserver/server.go

@@ -37,6 +37,8 @@ type vaultBackend interface {
 	SignCSR(ctx context.Context, token string, req SignCSRRequest) (*SignedCert, error)
 	GetCert(ctx context.Context, token, mount, serial string) (*CertDetail, error)
 	ListCerts(ctx context.Context, token, mount string) ([]CertSummary, error)
+	RevokeCert(ctx context.Context, token, mount, serial string) error
+	DeleteCert(ctx context.Context, token, mount, serial string) error
 	Close() error
 }
 
@@ -98,6 +100,12 @@ func (lw *loggingResponseWriter) WriteHeader(code int) {
 	lw.ResponseWriter.WriteHeader(code)
 }
 
+// Unwrap returns the underlying ResponseWriter so that http.ResponseController
+// can reach it to set deadlines and perform other extended operations.
+func (lw *loggingResponseWriter) Unwrap() http.ResponseWriter {
+	return lw.ResponseWriter
+}
+
 // Start starts the web server. It blocks until the server is closed.
 func (ws *WebServer) Start() error {
 	r := chi.NewRouter()