Certificates/Become your own CA

Applies to:
 * small local networks running a critical number of TLS-secured services (HTTP server, message broker, LDAP)
 * mutual TLS for authentication in a local network, esp. hosts that don't have any user input options

Basic steps:
 * 1) create root CA's private key material, stored offline and externally
 * 2) create intermediate CA's private key material, stored offline
 * 3) file CSR of intermediate CA to root CA
 * 4) root CA signs CSR, intermediate CA's certificate send to intermediate CA
 * 5) intermediate CA to sign CSRs for server certificates