Use PKCS #8 by default for private keys

[maraino]

Add option to save a private key using PKCS #8

Description

Some frameworks do not support PKCS #1 OR SEC1 EC formats for the private key and require the use of PKCS #8.
See smallstep/autocert#17 (comment)

We should add the flag --pkcs8 or --format pkcs8 to at least the following commands:

• step ca certificate
• step ca sign
• step ca renew

Autocert should also support this option.

Currently we can transform a PKCS #1 or SEC1 EC key to PKCS #8 using:

step crypto key format --pkcs8 --pem --no-password --insecure --out site.pkcs8.pem site.pem

Update

We should default to store private keys, specially the encrypted ones using PKCS#8 and perhaps add a way to use PKCS #1 / SEC1 EC on step ca commands.

[dopey]

--key-format

[maraino]

Consider to use PKCS#8 by default, DecryptPEMBlock and EncryptPEMBlock have been deprecated, see https://golang.org/pkg/crypto/x509/#DecryptPEMBlock