Add API to delete a service principal key, service-disable and host-disable. This is so an admin can essentially revoke a service principal without deleting it (a host stores its own host service principal).
I pulled usercertificate out of the global params and put into each appropriate function because it makes no sense for service-disable.
This also adds a new output parameter, has_keytab. It is a boolean that indicates whether the entry has a kerberos principal key (or at least our best guess at it).