Comment 5 for bug 1878353

The charm currently issues only a CSR, that has to manually be signed by openssl with the CA. The certificates shouldn't be provided via relations, but exported as plain text, same as get-root-ca action.