Create a section for sane `Certificate` defaults

[hawksight]

As part of #1279 we recognise that we don't have any documentation on what we regard as sane defaults for Certificates.

We should create a section that covers this with a reasoning to inform users. Users are of course free to disagree and use their own reasoning, but having somewhere to start might provide some better PKI defaults being applied.

We could then provide a ClusterPolicy reference example for Kyverno users and similarly a Gatekeeper configuration with the equivalent rules.