Policy 2.8: MRSP Issue #238: Clarify that CAs can generate their own keys

[Ben Wilson]

All,

I intend to address a minor issue in this batch of changes for MRSP v. 2.8. 

Currently, section 5.2 of the MRSP says, "CAs MUST NOT generate the key pairs for end-entity certificates that have an EKU extension containing the KeyPurposeIds id-kp-serverAuth or anyExtendedKeyUsage."  However, if the CA is creating end-entity certificates for itself, e.g. certificates for test websites as required by section 2.2 of the Baseline Requirements, then this language presents a problem. See https://github.com/mozilla/pkipolicy/issues/238

Here is proposed language to address this issue, add to the end of the phrase above, "unless the certificate is being issued to the CA itself."

https://github.com/BenWilson-Mozilla/pkipolicy/commit/e243b8252d19ba25f73dc56b9db3dc634f562e2b

Please review.

Thanks,

Ben Wilson