TLS session resume should share session key in certificate builder

[elcallio]

ATM, the session key used for TLS1.3 resume mode is generated per certificate bundle.
This does not match the common use cases in certain big consumers of seastar API:s (scylla),
where a builder typically creates a certificate set per shard.
As is, sessions will only be reusable per certificate set object.

The obvious fix is to create the key already in builder, and propagate to all generated certificate sets.
This does open up some concern if someone were to use the same cert builder to generate disparate
certificate sets. But it is probably a pattern that can be handled by a simple documented "don't!".