Document / improve that sometimes the issuer needs to set `ca.crt`

[SgtCoDFish]

istio-csr has a Helm value for specifying a file from which root CAs should be read.

We document that that file is optional, which is correct. If the file is not provided istio-csr defaults to falling back to using ca.crt from whatever cert gets issued for the serving cert.

This root is used to verify incoming client certificates.

If no root CAs file was provided and no ca.crt is provided, users will see an error like failed to fetch initial serving certificate: root CA certificate is not defined

This has a couple of problems:

1. The error talks about fetching the serving certificate, but it was actually fetched successfully. This is a configuration error, not an error with fetching that certificate.
2. We don't document that we require at least one of a root CAs file or ca.crt to be present
3. Falling back to ca.crt is highly dangerous and something we wouldn't recommend elsewhere because it makes root rotation much more difficult (or impossible) to do safely
4. Not everything sets ca.crt - it's something we'd rather get rid of and issuer-lib discourages its use.

We should firstly improve our documentation around this, and maybe think of other ways we can improve this situation