This commit adds support for securing HTTP and Transport layers with PKCS#12 archive certificates. This allows
easier configuration for a cluster that has a commercial license.

This commit adds certificate verification mode for TLS for Http and Transport layer.
Since a user can supply a certificate that would fail full verification mode, default to
certificate mode.

This commit always passes the password for a PKCS#12 archive cert to openssl, to convert
to PEM format, even when the password is an empty string.

Use the insecure flag when calling localhost over HTTPS with curl. Since the subject name in certificate
used to secure the HTTP layer may not match host name localhost (it's likely to be tied to a public domain
name), the --cacert flag for curl cannot be used.

This commit sets elasticsearch.ssl.verify: false for Kibana 5.2.0 and older. Kibana connects to
Elasticsearch through an internal load balancer IP address which will likely fail verification which
will also verify hostname, so disable verification by default for these versions.

This commit adds detail to specify that the Kibana cert and key are in PEM format.
Support PKCS#12 archive in future would be useful.

This commit updates integration tests to use the parameters-file argument to pass the
parameters to azure cli. Since parameters can now contain base 64 encoded certificates,
the input can be longer than the maximum characters allowed in Windows (8192).

Add generated certificates for integration tests.

This commit adds a --test parameter to be able to filter the integration
tests that should be run. The parameter value is a regular expression string.

Include additional parameters in README.
Add notes for additional arguments for npm run test

This commit adds the certificate CA to requests made in integration tests

This commit changes the integration test that tests the yaml configuration parameters
to whitelist any indices starting with a dot; the .security index is too restrictive for the indices
created by alerting/watcher.

Move common paths to variables
Remove superfluous quotes

This commit adds support for TLS from Application Gateway to the backend pool.
Application Gateway communicates with the backend pool through the internal
loadbalancer, and the public key(s) for certificate(s) used by the backend pool
must be whitelisted by Application Gateway by providing these details to it.

This means that for TLS on the HTTP layer in conjunction with Application Gateway,
only the single esHttpCertBlob option can be supported.

In the case of esHttpCaCertBlob which is used to generate a cert for HTTP layer
for each VM/node in the cluster, the public keys for these certs cannot be
automatically added to Application Gateway as part of deployment.

This commit passes the Elasticsearch HTTP CA cert to Kibana
to configure TLS to Elasticsearch from Kibana. When a CA cert
is provided, it is used to configure the certificate authority.

The present of an Elasticsearch HTTP cert overrides the
presence of a HTTP CA cert. That is, if a HTTP cert is provided,
the certificate authority will be extracted from the PKCS#12 archive.
If no CA cert is present, The verification mode for TLS with Elasticsearch
will be set to none.

Change owner of directory and files in /etc/elasticsearch/ssl

Use hostname and IP address SANs when generating certs

When HTTP CA password is an empty string, the value is incorrectly passed to certutil

…P CA

This commit requires that a cert or CA are provided to set up TLS on
the HTTP layer. When a cert is provided, it will take preference, and
Kibana will be configured with certificate verification mode. The most likely
use case for cert is to provide a cert for a CNAME pointing at the external
loadbalancer public IP.

When a CA is provided, HTTP certs are generated for each node, including the
node DNS and IP as Subject Alternative Names, as well as the internal loadbalancer
public IP as a Subject Alternative Name in the cert. Including the internal loadbalancer IP
allows Kibana to be set to full verification mode when communicating internally. A client
communicating through the external loadbalancer can verify certs provided against the CA.
A client communicating through Application Gateway will use the cert configured for the
Gateway.

This commit removes versions less than 5.3.x from the template.
5.0.x and 5.1.x are now EOL and 5.2.x will be EOL end of July.

5.2.x is removed now because Kibana Console does not work with self-signed
certs; Kibana itself works, but not console, responding with

    Client request error: unable to verify the first certificate

Closes #199

This commit removes the hostname verification check used
by the node's request module. Since all certs used are self-signed,
hostname verification will fail. Tests still verify the CA.

This commit adds a --nodestroy parameter that when passed,
does not delete resource groups after integration tests

This commit renames the mainTemplate appGatewayEsHttpCertPublicKey
to simply appGatewayEsHttpCertBlob, to indicate that the parameter is the
public key and should be provided Base-64 encoded.

This commit addresses the PR comments to improve the descriptions
for each of the parameters, and include a section on how to pass
certificate related parameters.