Add certutil http command

[tvernum]

This adds a new "http" sub-command to the certutil CLI tool.

The http command generates certificates/CSRs for use on the http
interface of an elasticsearch node/cluster.
It is designed to be a guided tool that provides explanations and
sugestions for each of the configuration options. The generated zip
file output includes extensive "readme" documentation and sample
configuration files for core Elastic products.

[elasticmachine]

Pinging @elastic/es-security (:Security/Network)

[tvernum]

This currently only supports elasticsearch/ and kibana/ output.
I will add beats, logstash & clients at a later date, but I wanted to get the core done first, and then tweak it.

[jkakavas]

Did a first round today, I want to look at this once more, from a user's perspective this time as in actually using the tool, and I'll put in additional comments. Impressive amount of user-friendliness here @tvernum :)

[azasypkin]

Kibana related pieces look good to me and everything seems to be in order (apart from minor path related issue). I assume PKI auth between Kibana and Elasticsearch is out of scope of this PR. Is there anything specific you want us to look at @tvernum?

Impressive amount of user-friendliness here @tvernum :)

I want to second this, the guidance is super clear and helpful!

[tvernum]

Suggested change

	// trust the extension for some file-types rather then inspecting the contents
	// trust the extension for some file-types rather than inspecting the contents

[tvernum]

Suggested change

	// A Key and something else. Could be a cert + key paired, but we don't support that
	// A Key and something else. Could be a cert + key pair, but we don't support that

[tvernum]

I assume PKI auth between Kibana and Elasticsearch is out of scope of this PR.

It is. I'd like to include it down the track, but I suspect that most people who decide to implement mutual TLS have an existing tool set that they're comfortable with, so I'll be prioritising the config other component (beats, language clients, etc) first.

Is there anything specific you want us to look at @tvernum?

If the Kibana setup makes sense (except for my path problem) then the main feedback I'm after is any suggestions for improvements in the text (or other UI feedback such as changing the order of the questions, etc).
I'm sure the current choice words have a lot of my viewpoint built in to them (e.g. using Australian terminology/idioms, or technical blind spots from years of TLS-wrangling), so just telling me if something sounds weird/confusing to you is helpful.

[jkakavas]

The path is ( can be ) relevant to the ES_PATH_CONF of the elasticsearch installation. I am not sure if this is worth pointing out but, if users don't enter a full path ( starting with /) the error message can be somewhat confusing.

[jkakavas]

Suggested change

	terminal.println("Your private keys will be stored as a PEM formatted file.");
	terminal.println("Your private key(s) will be stored as PEM formatted file(s).");

[tvernum]

@jkakavas I've addressed most of your comments. If I missed any that you still think are important, let me know and we'll work out a solution.

[jkakavas]

@jkakavas I've addressed most of your comments. If I missed any that you still think are important, let me know and we'll work out a solution.

Thanks for the iterations Tim. I have no more blocking feedback, I'd be very happy to see this merged

[jkakavas]

LGTM

[tvernum]

Thanks @jkakavas
I'm going to merge this as is, and work on docs and packaging tests in a followup PR.