This should be done

• after generating the cert
• at startup -> offering to generate a new cert, if needed

Implicitly, this checks whether our root-ca is installed, correctly. Might not replace the test page, but supplements it.

An initial attempt is in work/tfry/verify_ssl_certificate, but needs more work to get quite right (see commit message).