security: accept CA keys in either PKCS#1 or PKCS#8 encodings

[knz]

Fixes #64942.

NB: I am not sure at which location I should implement a unit test for this. MY original goal was to create an end-to-end integration test for cockroach connect join, and this catches it immediately. However, maybe we can make a unit test that's smaller in scope?

Taking suggestions.

[cockroach-teamcity]

This change is 

[aaron-crl]

Approach looks good.

I'd be happy to see a light unit test in the security package here for this with a static pair of test certs. E2E would be good too but shouldn't block this.

Reviewable status: complete! 0 of 0 LGTMs obtained (waiting on @bdarnell)

[bdarnell]

It looks like cockroach cert create-ca unconditionally uses PKCS1 (PKCS8 is only an option for client certs) and the new auto-TLS stuff unconditionally uses PKCS8. Why the difference? When would this code ever see a PKCS1 key?

I think we already have a function for this: parsePrivateKey in security/pem.go.