Explore options to avoid storing PFX password

[LainRobertson]

Issue

Currently, if you successfully call New-PACertificate then the PFX password is retained on storage in the order.json in base64 format, which is far too easily decoded.

Request

Can we please have an option to not store the password on storage?

Additional comments

There's likely multiple means of achieving this, but as someone who uses only the basic functionality of the module, what I'd like to see is:

1. A switch added to New-PACertificate that aligns to an "opt-out" approach of not storing the password in order.json;
2. A SecureString (and a plain text alternative if necessary) parameter added to Submit-Renewal that would hold the PFX password for renewals.

By choosing an opt-out design, it should not impact existing automation/orchestration while allowing for the request to be met.

This approach would leave the password orchestration to the calling automation wrapper, which is preferable.