Kube test network : illustrate a multi-tier CA deployment using an intermediary

[jkneubuh]

Kube test network now uses cert-manager.io to issue the TLS root (self signed Issuer) certificate and org-level TLS (CA Issuer) certificates. Similarly, the fabric-ca is used to manage a two-tier CA infrastructure for issuing ECert enrollments for node and user identities.

Extend this model by introducing an intermediate CA for both TLS and ECert issuers. The public docs provide some guidance on this front but it is still "too hard" without providing a reference to help navigate the target configuration.

Set up intermediate CAs for the Kube test network:

• TLS intermediate CA using cert-manager.io
• ECert intermediate CA using fabric-ca
• Comprehensive pass to ensure all CLI commands, config files, etc. pass the TLS intermediate certificate when validating secure connections.

Ideally - show this in context of an intermediate cert with a short-term expiration and renewal process.