Support Hardware Security Modules (HSMs) for Agent Bakery Keys (PKCS#11)

The agent bakery "sign key" (private) keys are dangerous. Access to the private keys will enable an attacker to install software on each host with agent updates enabled. The encrypted private keys might also be found on backups. For compliance, some organisations (e.g. government, banks, ...) require these keys to be stored on a HSM.

Feature: Allow the use of private keys protected by an HSM to sign checkmk agents. PKCS#11 is a common standard to access all kind of HSMs. OpenSSL has already supports PKCS#11.

(Random list of some HSMs for a better understanding: https://cpl.thalesgroup.com/sites/default/files/content/product_briefs/field_document/2021-07/thales_luna_network_7_hsm_pb.pdf, https://www.nitrokey.com/de/produkte/nethsm, https://www.yubico.com/products/hardware-security-module/)