TLS for name owners: add CA consolidation example and openssl verification checklist

[mstrofnone]

Two purely additive sections in docs/name-owners/tls/index.md:

1. ## Example: Consolidating Two CAs Into One (placed between the existing "Renewing a Non-Subordinate CA Certificate" example and the "Can I Renew a TLS Certificate without Rotating Keys?" FAQ).

   Walks through the case where a zone ended up with two CA pins (e.g. one at the apex map["*"].tls and a second pinning a specific subdomain), and the operator wants to drop the second one without rotating the surviving CA's key (so the on-chain TLSA pin doesn't move).

   Five-step recipe: verify on-disk CA matches the on-chain pin via openssl dgst -sha256 of the SPKI, mint fresh end-entity certs from the surviving CA for each affected host, deploy them, then a single name_update that removes the redundant TLSA. Calls out the ordering pitfall (deploy leaves before pushing the wallet update).

2. ### Verifying Your Deployment with openssl` as a subsection of the existing Testing Your Website section.

   Four-step checklist for verifying a Namecoin TLS deployment from the command line:

   • Show the served chain.
   • Hash the CA SPKI and compare against the on-chain TLSA.
   • Confirm the end-entity cert's SANs and that its Subject Serial Number is Namecoin TLS Certificate.
   • Verify the chain against the local CA file in isolation.

Both additions reference Hashed-mode TLSA shape ([2, 1, 1, "<base64-of-SHA-256>"]) and ncgencert invocation style consistent with the rest of the page.

No existing content is rewritten; no anchors or examples are renamed.