tls: consider supporting PKCS12-encoded keys and certificates

[bobvawter]

We only seem to support flat, DER/PEM-encoded X509 certificates (this is not documented).

Java shops often use PKCS12 to bundle certificate chains and/or keys with their associated certificates, so it would be nice to support loading certificates and key materials from these archives or improving the resulting error message to point to a doc about converting from PKCS12 to PEM-encoded, flat certificates.

For future searches: something along the lines of openssl pkcs12 -export -noenc -chain -in cert.pkcs12 -out ca.crt will do the job.

cc: @knz @aaron-crl

Jira issue: CRDB-7707

[bobvawter]

In cases where a password has been applied to the pkcs12 container, it would be nice to be able to read that password out of a file, which could be bootstrapped by a k8s Secret, or InitContainer for integration with vaults.

[github-actions]

We have marked this issue as stale because it has been inactive for
18 months. If this issue is still relevant, removing the stale label
or adding a comment will keep it active. Otherwise, we'll close it in
10 days to keep the issue queue tidy. Thank you for your contribution
to CockroachDB!