This should be done
- after generating the cert
- at startup -> offering to generate a new cert, if needed
Implicitly, this checks whether our root-ca is installed, correctly. Might not replace the test page, but supplements it.
An initial attempt is in work/tfry/verify_ssl_certificate, but needs more work to get quite right (see commit message).