PKI: Add management APIs for ACME accounts (#29173)

* Allow a Vault operator to list, read and update PKI ACME accounts

 - This allows an operator to list the ACME account key ids, read
   the ACME account getting all the various information along with
   the account's associated orders and update the ACME account's
   status to either valid or revoked

* Add tests for new ACME management APIs

* Update PKI api-docs

* Add cl

* Add missing error handling and a few more test assertions

* PR feedback

* Fix Note tags within the website

* Apply suggestions from docscode review

Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>

* Update website/content/api-docs/secret/pki/issuance.mdx

* Update website/content/api-docs/secret/pki/issuance.mdx

* Update website/content/api-docs/secret/pki/issuance.mdx

---------

Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>

website/content/api-docs/secret/pki/issuance.mdx

@@ -13,6 +13,9 @@ description: This is the API documentation for the issuance protocol support in
   - [Delete Unused ACME EAB Binding Tokens](#delete-unused-acme-eab-binding-tokens)
   - [Get ACME Configuration](#get-acme-configuration)
   - [Set ACME Configuration](#set-acme-configuration)
+  - [List ACME Account Keys](#list-acme-account-keys)
+  - [Get ACME Account Info](#get-acme-account-info)
+  - [Update ACME Account Info](#update-acme-account-info)
 - [EST - Certificate Issuance <EnterpriseAlert inline="true" />](#est-certificate-issuance)
   - [EST Protocol Paths <EnterpriseAlert inline="true" />](#est-protocol-paths)
   - [Read EST Configuration <EnterpriseAlert inline="true" />](#read-est-configuration)
@@ -109,9 +112,13 @@ fetch an EAB token and pass it to the ACME client for use on the initial
 registration: this binds the ACME client's registration to an authenticated
 Vault endpoint, but not further to the client's entity or other information.
 
-~> Note: Enabling EAB is strongly recommended for public-facing Vault
-   deployments. Use of the `VAULT_DISABLE_PUBLIC_ACME` environment variable
-   can be used to enforce all ACME instances have EAB enabled.
+<Note title="Require EAB for public-facing Vault deployments">
+
+We strongly recommend enabling EAB for public-facing Vault
+deployments. Use the `VAULT_DISABLE_PUBLIC_ACME` environment
+variable to force-enable EAB for all ACME instances.
+
+</Note>
 
 #### ACME accounts
 
@@ -367,6 +374,148 @@ $ curl \
 }
 ```
 
+### List ACME account keys
+
+The `ListAcmeAccountKeys` endpoint returns a list of ACME account key
+identifiers.
+
+| Method | Path                           |
+|:-------|:-------------------------------|
+| `LIST` | `/pki/acme/mgmt/account/keyid` |
+
+#### Sample request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request LIST \
+    http://127.0.0.1:8200/v1/pki/acme/mgmt/account/keyid
+```
+
+#### Sample response
+
+```
+{
+  "data": {
+    "keys": [
+      "2ea9859a-eba8-ff24-cd03-2a51639fc7d5"
+    ]
+  }
+}
+```
+
+### Get ACME account info
+
+The `GetAcmeAccountInfo` endpoint returns account information,
+including orders and certificate details, for the provided ACME account
+key.
+
+| Method | Path                                   |
+|:-------|:---------------------------------------|
+| `GET`  | `/pki/acme/mgmt/account/keyid/:key_id` |
+
+#### Path parameters
+
+- `key_id` `(string: <required>)` - ID of the target ACME account.
+
+#### Sample request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/pki/acme/mgmt/account/keyid/2ea9859a-eba8-ff24-cd03-2a51639fc7d5
+```
+
+#### Sample response
+
+```
+{
+  "data": {
+    "contacts": null,
+    "created_time": "2024-12-12T12:55:50-05:00",
+    "directory": "acme/",
+    "eab": {
+      "created_time": "2024-12-12T12:55:29-05:00",
+      "directory": "acme/",
+      "eab_id": "24c0673a-df53-0671-a628-e7b9c995485c",
+      "key_type": "hs"
+    },
+    "key_id": "2ea9859a-eba8-ff24-cd03-2a51639fc7d5",
+    "orders": [
+      {
+        "cert_expiry": "2024-12-13T17:55:28Z",
+        "cert_serial_number": "4a:6f:d0:f7:13:55:f7:c9:19:82:fc:34:69:67:77:2e:58:27:02:8b",
+        "identifiers": [
+          "testing.dadgarcorp.com"
+        ],
+        "order_expiry": "2024-12-13T12:56:04-05:00",
+        "order_id": "90699994-8863-571c-26b0-46755e0db351",
+        "status": "valid"
+      }
+    ],
+    "revoked_time": "",
+    "status": "valid"
+  },
+}
+```
+
+### Update ACME account info
+
+The `UpdateAcmeAccountInfo` endpoint revokes or re-enables an ACME
+account and returns the account details excluding order or certificate
+details.
+
+| Method | Path                                   |
+|:-------|:---------------------------------------|
+| `POST` | `/pki/acme/mgmt/account/keyid/:key_id` |
+
+#### Path parameters
+
+- `key_id` `(string: <required>)` - ID of the target ACME account.
+
+
+### Parameters
+
+- `status` `(string: <required>)` - The new account status. Must be one of:
+ `revoked`, `valid`.
+
+<Note title="ACME account revocation does not revoke certificates">
+
+Revoking an ACME account forbids further operations on the account
+without revoking existing certificates. You must revoke any existing
+certificates manually.
+
+</Note>
+
+#### Sample request
+
+```
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/pki/acme/mgmt/account/keyid/2ea9859a-eba8-ff24-cd03-2a51639fc7d5
+```
+
+#### Sample response
+
+```
+{
+  "data": {
+    "contacts": null,
+    "created_time": "2024-12-12T12:55:50-05:00",
+    "directory": "acme/",
+    "eab": {
+      "created_time": "2024-12-12T12:55:29-05:00",
+      "directory": "acme/",
+      "eab_id": "24c0673a-df53-0671-a628-e7b9c995485c",
+      "key_type": "hs"
+    },
+    "key_id": "2ea9859a-eba8-ff24-cd03-2a51639fc7d5",
+    "revoked_time": "2024-12-12T12:59:02-05:00",
+    "status": "revoked"
+  },
+}
+```
+
 ## EST Certificate issuance <EnterpriseAlert inline="true" />
 
 Within Vault Enterprise, support can be enabled for the