Allow multiple TLS certificates per HTTPS listener

[sarthyparty]

Is your enhancement request related to a problem? Please describe.
Currently an HTTPS listener in NGINX Gateway Fabric supports only a single tls.certificateRef. This is limiting when we need to serve multiple certificates (e.g., a wildcard certificate plus a specific SAN certificate, or during certificate rotations/Let’s Encrypt renewals) on the same listener/port. To work around this, we must create multiple listeners on the same port, one per hostname, which adds configuration duplication and complexity.

What would you like to be added:
Allow an HTTPS listener to use multiple TLS certificates. Ideally NGF would honor all entries in tls.certificateRefs (aligned with the Gateway API spec), loading each secret and selecting the correct certificate via SNI at runtime.

Why this is needed:

• Simplifies configuration: one listener can cover multiple hostnames/certs instead of duplicating listeners.
• Supports smooth certificate rotation (old + new cert simultaneously).
• Aligns with Gateway API semantics where certificateRefs is a list.
• Reduces risk of misconfiguration by consolidating related hostnames under a single listener block.

Additional context
Example desired configuration:

listeners:
  - name: https
    port: 443
    protocol: HTTPS
    hostname: "*.example.com"
    tls:
      certificateRefs:
        - kind: Secret
          name: wildcard-example-com
        - kind: Secret
          name: special-app-cert

NGF would load both secrets and select the appropriate cert via SNI. If only partial support is feasible initially, even allowing two refs (for rotation) would be helpful.