SDK should update certificate pools safely

[maraino]

Description

Certificate pools should be safely updated when root or federation certificates are rotated. A server uses tls.Config.GetConfigForClient to provide the refreshed version of the tls.Config while clients use a custom http.Transport.DialTLS that uses the refreshed tls.Config. Fixes #23

This PR also adds the method BootstrapListener that creates a net.Listener configured with the TLS certificate provided by the CA

[codecov-io]

Codecov Report

Merging #27 into master will increase coverage by 2.1%.
The diff coverage is 85.62%.

@@            Coverage Diff            @@
##           master      #27     +/-   ##
=========================================
+ Coverage   76.59%   78.69%   +2.1%     
=========================================
  Files          20       21      +1     
  Lines        1658     1953    +295     
=========================================
+ Hits         1270     1537    +267     
- Misses        276      298     +22     
- Partials      112      118      +6

Impacted Files	Coverage Δ
ca/mutable_tls_config.go	100% <100%> (ø)
ca/client.go	77.03% <33.33%> (+6.95%)	⬆️
ca/bootstrap.go	71.42% <60%> (-3.58%)	⬇️
ca/tls.go	67.78% <81.81%> (+0.88%)	⬆️
ca/tls_options.go	94.07% <84%> (-5.93%)	⬇️
authority/tls.go	70.87% <0%> (+0.81%)	⬆️
authority/claims.go	85.5% <0%> (+1.06%)	⬆️
authority/types.go	97.22% <0%> (+1.14%)	⬆️
... and 1 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 88a3c4c...e0fff4d. Read the comment docs.

[dopey]

left a few comments about grammar / syntax