add support for encrypted TLS private keys (#5308)

This change adds support for password-protected private keys.
If the private key is encrypted the server tries to decrypt
the key with the password provided by the env variable 
MINIO_CERT_PASSWD.

Fixes #5302

docs/tls/README.md

@@ -33,13 +33,32 @@ go run generate_cert.go -ca --host "10.10.0.3"
 
 ### Using OpenSSL
 
-Generate the private key:
+**Generate the private key**:
 
+1. **ECDSA:**  
+```sh
+openssl ecparam -genkey -name prime256v1 -out private.key
+```
+or protect the private key additionally with a password:  
+```sh
+openssl ecparam -genkey -name prime256v1 | openssl ec -aes256 -out private.key -passout pass:PASSWORD
+```
+2. **RSA:**
 ```sh
 openssl genrsa -out private.key 2048
+```  
+or protect the private key additionally with a password:  
+```sh
+openssl genrsa -aes256 -out private.key 2048 -passout pass:PASSWORD
 ```
 
-Generate the self-signed certificate:
+If a password-protected private key is used the password must be provided through the environment variable `MINIO_CERT_PASSWD`:
+```sh
+export MINIO_CERT_PASSWD=PASSWORD
+``` 
+Please use your own password instead of PASSWORD.
+
+**Generate the self-signed certificate**:
 
 ```sh
 openssl req -new -x509 -days 3650 -key private.key -out public.crt -subj "/C=US/ST=state/L=location/O=organization/CN=domain"