Support storing certificates without private keys
Right now keyvault doesn't allow storing a certificate WITHOUT the private key in the keyvault. This is useful for a number of use-cases, eg:
* storing an internal CA public cert in the same place other internal certs are stored
* Store the public cert for trusted clients, where the private key is only on the client
The "workaround" right now is to store unsupported cert forms either in a storage account, or as secrets. Storage accounts aren't ideal b/c they are conceptually separate and are not audited in the same way; and don't support the same ability to browse or search certs. Secrets aren't ideal b/c secrets are generally more sensitive, and should have more restricted access, whereas everything stored in a keyvault "cert" is less sensitive.
Adding another scenario: use the KV for inbound mutual authentication where only the public key is known.
*checking certificate details (thumbprint, x5t, CN, expiration)
*tracking certificate expiration
*comparing x5t header from other services (ex: APIM)