Add ability to trust customer TLS certificates for IdP metadata

[wfchandler]

We offer the ability to query an IdP provider's metadata URL during silo setup. However, many customers will have their own internal certificate authority that is not part of the standard trusted cert store.

Currently we have no way to allow Nexus to trust the cert, forcing the customer to fall back on using base64_encoded_xml SAML. This is less convenient, it would be nice for customers using their own certs to be able to use this feature. Note that this refers only to the public key, we never want to access or store the private key.

AFAIK there are no other situations where the rack will initiate an outgoing connection, so this certificate store would be used solely for IdP metadata.

[davepacheco]

Makes sense. What do we imagine the flow for this looking like? Do we expect customers to want to upload a TLS certificate that the system is expected to trust? Or a CA? Or would the system try to fetch it, fail TLS verification, record the certificate details, and we'd show the cert details to them and give them an API/console button to trust it? Or something else?

[wfchandler]

I think we definitely do not want to allow an unverified cert to be trusted, given that this is flow is part of authentication setup.

As a starting point, the user providing a cert to trust seems like the simplest solution. If we find that some customers are creating a large volume of silos, then adding a trusted CA might be of benefit to them.