Policy 2.8: MRSP Issue #238: Clarify that CAs can generate their own keys

All,

I intend to address a minor issue in this batch of changes for MRSP v. 2.8. 

Currently, section 5.2 of the MRSP says, "CAs MUST NOT generate the key pairs for end-entity certificates that have an EKU extension containing the KeyPurposeIds id-kp-serverAuth or anyExtendedKeyUsage."  However, if the CA is creating end-entity certificates for itself, e.g. certificates for test websites as required by section 2.2 of the Baseline Requirements, then this language presents a problem. See https://github.com/mozilla/pkipolicy/issues/238

Here is proposed language to address this issue, add to the end of the phrase above, "unless the certificate is being issued to the CA itself."

Please review.

Thanks,

Ben Wilson