No longer update key lifetime if key is retired

No longer update key lifetime if key is retired

The key lifetime should no longer be adjusted if the key is being
retired earlier, for example because a manual rollover was started.

This would falsely be seen as a dnssec-policy lifetime reconfiguration,
and would adjust the retire/removed time again.

This also means we should update the status output, and the next
rollover scheduled is now calculated using (retire-active) instead of
key lifetime.

(cherry picked from commit 129973ebb0deb20405da553f20b5e8cdfe9a0e80)