- think i finally understand ssl now

- allow CA to be configured for each ssl certificate set
- never do any root CA stuff. this is outside the scope of myplc. myplc
  now only generates self-signed certs (but supports replacement of the
  self-signed certs with real certs signed by another CA, as long as the
  CA is specified)
- self-sign the MA/SA SSL certificate (and by extension, the MA/SA API
  certificate)