Split out certificates from vo/config

[jrha]

As mentioned in #18:

To go further, the vo/certs dir could only contain certificates (named like voms.sagrid.ac.za.pem) and the https://github.com/quattor/template-library-grid/blob/umd-4/vo/config.pan template modified to include this certificates (only a few line to modify). If you agree, I would open a enhancement issue once this PR is merged.

[jouvin]

@jrha I like your proposal, clearly these pan templates have no value as templates... (was coming from a time where the panc compiler was not tracking files read with file_contents as explicit profile dependency, making updates complicated). If you have something ready, would be good to if you could open a PR.

[jouvin]

After my initial reply, I remembered one reason to have a template rather than the pem file: it was to manage certificate change with the ability to have 2 certificates associated with one VOMS server. The idea was to add the new certificate before the current one expires so that the change is handled smoothly (the client being able to verify the server whichever the cert actually used).

That said I don't think that anybody is really using this feature and it probably doesn't really make sense anymore as all services are using LSC files (file containing the DN and issuer) rather than certificates, certificates being used only to retrieve the DN and issuer. The previous mechanism was really needed at the time of the WMS that was not able to use LSC file.

If we move forward with this change, we probably need to drop out the oldcert support in update-vo-config.