The certificate role is special: On a more basal level, it all depends on a running certmonger, which we can't have during a booc build. More conceptually, we don't actually want to create a certificate during container build – these are likely deployed multiple times, and we neither want duplicate keys nor putting private key material into potentially public container images.

Initial idea: Create a first-boot systemd unit which contains the configuration and sets up certmonger and the certificate that way. This will need careful testing, and thus depends on building a mechanism for a full round of container build → qcow build → boot deployed system test.