feat: Support multiple active CAs in tctl auth export

[codingllama]

Add multiple active CAs support to tctl auth export via the --out flag.

• If a single active CA exists the behavior is the same as before
• If multiple active CAs exist the error message is changed to refer to the --out flag
• Any number of active CAs may be exported using --out without error

tctl before this PR:

$ tctl auth export --type=tls-user
ERROR: expected one TLS key pair, got 2

tctl after this PR:

$ tctl auth export --type=tls-user
ERROR: found 2 authorities to export, use --out to export all

$ tctl auth export --type=tls-user --out=ca
(stderr) Writing 2 files with prefix "ca"
(stdout) ca0.cer
(stdout) ca1.cer

$ cat ca?.cer
-----BEGIN CERTIFICATE-----
MIIDbTCCAlWgAwIBAgIRAIhXW7vBMC0zFynLPShxFH0wDQYJKoZIhvcNAQELBQAw
(...)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDbDCCAlSgAwIBAgIQem9J7psCMl6QSKbClOdbtTANBgkqhkiG9w0BAQsFADBQ
(...)
-----END CERTIFICATE-----

Follow up from #51189.

#35444

Changelog: Added support for multiple active CAs in tctl auth export

[codingllama]

Branched from #51189:

• Add client-side functions to export multiple authorities #51189

This also borrows inspiration from Gavin's #35754, although it has my own spin on it.

[GavinFrazar]

LGTM, I left a couple of suggestions.

Thanks for fixing this!

[codingllama]

Many thanks for the quick reviews! I'll queue once the base PR is in.

[codingllama]

Friendly ping @avatus for g1 approval?

[codingllama]

Rebased on top of master, no changes. I'll prep some prereq backports then merge this one.

[public-teleport-github-review-bot]

@codingllama See the table below for backport results.

Branch	Result
branch/v15	Failed
branch/v16	Failed
branch/v17	Create PR