OVA shared TLS certificate

[andrewtchin]

@andrewtchin commented on Wed Jul 05 2017

User Statement:

As a user I want to be able to use the same TLS certificate across all components of the OVA, whether it is generated by the OVA or entered during the OVA deploy.

Details:
We currently generate a separate self signed cert for each component or require the user to enter multiple certificates (or the same certificate multiple times) in the deploy. Change this to be shared so the user can enter it once.
Also examine how we handle a user provided CA (is it added to the root store?) and how that impacts appliance initialization (skip thumbprint verification on Getting Started Page if we trust the cert on vCenter - this investigation may lead to opening another issue)

Acceptance Criteria:

• Share OVA generated or user provided certificate between all OVA components
• Show the certificate fingerprint on the DCUI
• Certificate should use the hostname if present (See ova deployment: generate harbor certificate using fqdn #1006)

[andrewtchin]

account for encrypted private key

Jan 09 17:06:51 server.local start_fileserver.sh[2137]: time="2018-01-09T17:06:51Z" level=fatal msg="Failed to load certificate /opt/vmware/fileserver/cert/server.crt and key /opt/vmware/fileserver/cert/server.key: tls: failed to pars
e private key"```

[andrewtchin]

Doc updates:

• DCUI shows SHA1 fingerprint of certificate (may not show up immediately on boot since cert isn't generated/read yet, but refreshes later)
• Single TLS certificate is used for all services running on the appliance
• User provided certificate fields in OVA deploy moved to the same section as password
• If user provided PKCS1 (-----BEGIN RSA PRIVATE KEY-----) format cert is detected, it is automatically converted to PKCS8 format
• Requirement of unencrypted PEM format for user provided certificate remains