gnoi.certificate: clarify service use of non-TLS server sockets

[andaru]

Looking at the gnoi.certificate service defined in gnoi_cert.proto, there's no mention of the gRPC server having to use a TLS socket with service gnoi.certificate, but that may have been an assumption.

I can see two primary scenarios for server implementors;

• Servers and clients must use TLS sockets for all RPC methods. -- In this case, the target must have already had its initial certificate configured (e.g., via some external automation), and its certificate_id and related endpoints are registered in the GNOI certificate server, ready for further RPCs.
• Servers serve Rotate via TLS socket, but could serve Install (perhaps only the first time?) and/or some other methods via a non-TLS socket.

Could the gnoi_cert.proto be updated with some words describing the server expectations made by clients?