Support TLS certificate & key pair

[UXabre]

Integrated the support for a "regular" certificate & key pair (since it is supported on Manticore)
The certificate only supports PEM, the private key only support PKCS#8

Background info: My use case is to predominantly use this in combination with Hashicorp Vault, where the creation of both these (a pem cert and pkcs8 key) comes out of the box

Addresses #672 to some extend

[cla-checker-service]

💚 CLA has been signed

[UXabre]

Hi, anything that needs to done to push this one forward?

[UXabre]

Anything on the triaging of this PR? (I see it now has conflicts which would need to be resolved first, but I wanted to learn if it would be wise to do it now?)

[UXabre]

Resolved conflicts :-)

[kares]

Hey Aren, this is looking great 👍

I'll be looking into testing TLS 1.3 support and since that might introduce an option for specifying the protocol we might want to align the naming. Haven't decided the naming strategy yet but I am going to keep this PR in mind and eventually provide feedback.

Thank your for your efforts so far!

[UXabre]

Hi @kares , thanks for your input! Completely agree to align on these things, I'll be awaiting your input and take actions based on those :-)

[kares]

Sorry, I forgot about this - for now we seem to be following the naming as established by ES/Beats.
In this case ssl.key and ssl.certificate is used in ES which would end up as ssl_key and ssl_certificate options in Logstash.

There's still one gotcha when introducing official alignment with the rest of the stack we should primarily support the same format - Manticore supports PKCS#8 explicitly but I think, as the test suggest if I am not wrong, PKCS#12 format works implicitly. Thus the docs should probably advertise using .p12.

[UXabre]

Hi @kares ,
Thanks for getting back on this subject.
I'll change the names accordingly.

To be honest, I don't completely understand the second bit on documentation though, I only really tested with PKCS#8, I could try and expand the tests with PKCS#12 to be sure that it works. If so, I can add that both these are supported, but that's probably not what you meant?

[kares]

The concern is when introducing ssl_certificate we should make sure it works with .p12 files.
PKCS#8 is fine to support but we should be aligned with the rest of the Elastic stack.

I'll be off after a few days so feel free to ping someone else from the team when the PR is ready for review.

[edmocosta]

Hey Arend! Thank you very much for taking the time to open this PR and sorry for the long waiting! We recently started working on standardizing the SSL settings across all the plugins (elastic/logstash#14905), and this feature was incorporated into the SSL normalization PR (#1118). Thanks!