Add root certificate to step certificate inspect --bundle

[alanchrt]

What would you like to be added

Right now step certificate inspect --bundle displays the leaf and the intermediate certs. It would be nice if it could also display the root.

Why this is needed

We just ran into an issue where TLS connections were failing with a message about an expired certificate. However, the expiration date in the error message didn't match the date shown for the server cert at all. Both the server leaf cert and intermediate cert were still valid. It wasn't until looking at the certs with openssl that we noticed the root certificate was actually expired.

Including the root in --bundle would have made debugging this very straightforward.

Edit: I'm specifically referring to step certificate inspect on a URL, not a PEM file.

[dopey]

This is a bit nuanced.

• We don't want to return the root in all bundles - for example when using --pem to create a pem file for your server.
• We could have a flag to return the root in the bundle but at that point you'd need to know that you wanted to look at the root in which case there are probably easier ways to get at the root.
• The root provided by the --root argument to inspect does not actually have to be the real root (I didn't know this). It just needs to be a certificate with the right public key. So verifying the root in this case doesn't give real confidence.

So, our proposed strategy for this is:

• Have better guidance around setting up alerts for root and intermediate expiry's. Currently our guidance is non-existent. We've stepped around this problem by having 10yr default lifetimes so they'll never expire \s.