feat(m27): certificate export (PEM/PKCS#12) and S/MIME EKU support

Add certificate export in PEM (JSON or file download) and PKCS#12 formats.
Private keys are never included — they stay on agents. Add EKU-aware
issuance threading profile EKUs (serverAuth, clientAuth, codeSigning,
emailProtection, timeStamping) through the full issuance pipeline. Fix
agent CSR SAN splitting for email addresses, adaptive KeyUsage flags for
S/MIME vs TLS, and a pre-existing generateID collision bug in deployment
job creation.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

web/src/api/client.ts

@@ -95,6 +95,33 @@ export const revokeCertificate = (id: string, reason: string) =>
     body: JSON.stringify({ reason }),
   });
 
+// Certificate Export
+export const exportCertificatePEM = (id: string) =>
+  fetchJSON<{ cert_pem: string; chain_pem: string; full_pem: string }>(`${BASE}/certificates/${id}/export/pem`);
+
+export const downloadCertificatePEM = (id: string) => {
+  const headers: Record<string, string> = {};
+  if (apiKey) headers['Authorization'] = `Bearer ${apiKey}`;
+  return fetch(`${BASE}/certificates/${id}/export/pem?download=true`, { headers })
+    .then(r => {
+      if (!r.ok) throw new Error('Export failed');
+      return r.blob();
+    });
+};
+
+export const exportCertificatePKCS12 = (id: string, password: string = '') => {
+  const headers: Record<string, string> = { 'Content-Type': 'application/json' };
+  if (apiKey) headers['Authorization'] = `Bearer ${apiKey}`;
+  return fetch(`${BASE}/certificates/${id}/export/pkcs12`, {
+    method: 'POST',
+    headers,
+    body: JSON.stringify({ password }),
+  }).then(r => {
+    if (!r.ok) throw new Error('Export failed');
+    return r.blob();
+  });
+};
+
 // Agents
 export const getAgents = (params: Record<string, string> = {}) => {
   const qs = new URLSearchParams({ page: '1', per_page: '50', ...params }).toString();