(#3120) Disambiguate the localcacert setting

Without this patch applied the localcacert setting is woefully
overloaded. The following behaviors are layered on top:

• Client authentication of the SSL server
• Server authentication of the SSL client
• Puppet CA signing and issuing certificates

In addition, we plan to fully support CA chains in #3143 which will
introduce two additional scenarios of CA certificates that build trust
but are not used for authentication.

Puppet has assumed in the past that all of these behaviors built on top
of a single, self signed CA certificate.

This is a problem because there is no distinction between a bundle of CA
certificates that are usable to authenticate the peer in an SSL
connection.

This patch fixes the problem by introducing two new configuration
options, ssl_server_ca_auth and ssl_client_ca_auth. Both of these
settings will default to the localcacert setting.

This is slightly confusing because the file pointed to by the
localcacert setting could contain a bundle of CA certificates. However,
Puppet would treat this file as the CA certificate itself so any use of
multiple CA certificates would only work by accident.

With this patch we now explicitly support authenticating against
multiple certificate authorities but we do not yet fully support
authenticating against chained certificate authorities.

The patch also introduces ssl_client_ca_chain and ssl_server_ca_chain as
commented out options in defaults.rb because these options will be
required for #3143.

Paired-with: Patrick Carlisle <patrick@puppetlabs.com>