add certificate revocation feature

[komuw]

https://tools.ietf.org/html/draft-ietf-acme-acme-02#section-6.6

To request that a certificate be revoked, the client sends a POST
   request to the ACME server's revoke-cert URI.  The body of the POST
   is a JWS object whose JSON payload contains the certificate to be
   revoked:

   certificate (required, string):  The certificate to be revoked, in
      the base64url-encoded version of the DER format.  (Note: This
      field uses the same modified Base64 encoding rules used elsewhere
      in this document, so it is different from PEM.)

   POST /acme/revoke-cert HTTP/1.1
   Host: example.com

   {
     "resource": "revoke-cert",
     "certificate": "MIIEDTCCAvegAwIBAgIRAP8..."
   }
   /* Signed as JWS */

   Revocation requests are different from other ACME request in that
   they can be signed either with an account key pair or the key pair in
   the certificate.  Before revoking a certificate, the server MUST
   verify that the key used to sign the request is authorized to revoke
   the certificate.  The server SHOULD consider at least the following
   keys authorized for a given certificate:

   o  the public key in the certificate.

   o  an account key that is authorized to act for all of the
      identifier(s) in the certificate.
If the revocation succeeds, the server responds with status code 200
   (OK).  If the revocation fails, the server returns an error.

[komuw]

We probably want to use something like https://crt.sh [1] to search all non expired certs of a given domain.
Then:
for i in non_expired_domains:
download cert, i
get public-key from cert
revoke(i) using public-key

1. https://crt.sh/?q=google.com

[komuw]

censys looks even better
https://censys.io/certificates?q=%28google.com%29+AND+tags%3A+%22unexpired%22
and they have an API
https://censys.io/api/v1/docs/search

[komuw]

use quotes to be specific: https://censys.io/certificates?q=%28%22kenyamoja.com%22%29+AND+tags%3A+%22unexpired%22