Block new Linked CA creation in step ca init

[tashian]

Summary

• Block creation of new Linked CA deployments
• Point users to Step CA Pro for Linked CA features
• Document migration workflow using step-ca export --token and step-ca import

Changes

• command/ca/init.go:
  • Remove "linked" from --deployment-type flag options
  • Return clear error when --deployment-type=linked is used
  • Remove "Linked" from interactive deployment type selection
  • Update help text to point users to Step CA Pro
• CHANGELOG.md: Added deprecation notice with complete migration instructions

Migration Workflow

For users migrating from Linked CA to standalone mode:

# 1. Export from linked CA (while CA is running)
step-ca export $(step path)/config/ca.json --token $STEP_CA_TOKEN > export.json

# 2. Stop the CA

# 3. Update ca.json:
#    - Remove the authority.linkedca section
#    - Ensure authority.enableAdmin: true
#    - Ensure db is configured

# 4. Import provisioners and admins
step-ca import $(step path)/config/ca.json export.json

# 5. Start the CA without --token
step-ca $(step path)/config/ca.json

Behavior Summary

Scenario	Before	After
step ca init --deployment-type=linked	Creates linked CA	Returns error with migration guidance
step-ca --token=xxx (existing)	Works silently	Works but shows deprecation warning
Interactive step ca init	Shows Standalone/Linked/Hosted	Shows Standalone/Hosted only
RA mode with linked	Allowed	Now only standalone is valid for RA

Context

This is phase 1 of removing Linked CA from open-source step-ca. The linked deployment type is moving to Step CA Pro.

• Release N (this PR): Block new linked CA creation, provide migration tools
• Release N+2 or N+3: Remove linked CA code entirely from certificates repo

Related certificates PR: smallstep/certificates#2554

Test plan

• make build passes
• Tests pass
• Manual test: step ca init --deployment-type=linked returns clear error
• Manual test: Interactive step ca init shows only Standalone/Hosted options

🤖 Generated with Claude Code