Instead of having separate CA vs CusterCA, we should have a single CA with role separation: e.g.: allow specifying limitations on which CA can be used for what purpose. Specifically, to pin X509 authorization to a specific roots only