The local development server cert generation in pkg/controller/controllercmd/cmd.go currently uses the legacy crypto.MakeSelfSignedCA and ca.MakeServerCert functions with hardcoded RSA-2048.

Migrate to use the new crypto.NewSigningCertificate / CA.NewServerCertificate functions with a KeyConfig, using either:

• Hardcoded KeyConfig values matching the default profile (RSA-2048), or
• pki.DefaultPKIProfile() + pki.ResolveCertificateConfig() to exercise the full profile resolution path

Low priority since these are ephemeral dev-only certs that nothing trusts, but switching ensures the new code path gets exercised in development.