- allow CA to be configured for each ssl certificate set
- never do any root CA stuff. this is outside the scope of myplc. myplc
now only generates self-signed certs (but supports replacement of the
self-signed certs with real certs signed by another CA, as long as the
CA is specified)
- self-sign the MA/SA SSL certificate (and by extension, the MA/SA API
certificate)