use vault or cfssl as PKI backends

[groob]

right now the server keeps track of certs in a local folder. Both cfssl and vault have robust PKI APIs that the server can use instead.

[jiuweigui]

Do you have any vision about the implementation?

I've been looking at this and cfssl and might take a crack at it. I guess the most tiresome part is converting certs back and forth. I looked at the code and it seems that it requires some extending of the Depot, few methods and structs for communicating with the cfssl endpoints and then something to convert the certs back and forth. But I guess that's about it?

[groob]

@jiuweigui the current depot interface is

type Depot interface {
    CA(pass []byte) ([]*x509.Certificate, *rsa.PrivateKey, error)
    Put(name string, cert []byte) error
    Serial() (*big.Int, error)
}

I'm not opposed to making changes to it as needed to accommodate a remote backend. I would like to keep a consistent, minimal interface to support multiple potential backends however.

If you're interested in implementing support for cfssl, I'd be happy to review/merge your changes :) I'm a bit unclear, what you mean by "converting certs back and forth"?