On initial generation, a self-signed cert should be generated #3
Description
Initially, before a signed cert is installed, a self-signed cert should be installed to allow for things depending on it's existence to still run (ie. Apache, Stunnel, etc). Since we submit the CSR generated by this class, under normal circumstances, we will never have a cert ready for the apache/stunnel/etc to read and load. This causes the puppet runs to fail if the service depends on it, and it is managed in puppet.
An option for also generating a loadable intermediate cert should be available as well, even if it's just copying the self-signed cert to the intermediate.crt.