fix(certs): replace encrypted CA with unencrypted ECDSA P-256 CA

- Replaced password-protected RSA CA with unencrypted ECDSA P-256 CA
  to prevent manager startup failures from encrypted keys.
- Regenerated server and client certificates (client001) with new CA.
- Updated CA_SETUP.md to use openssl genpkey (unencrypted) instead of
  openssl genrsa -aes256, with warning against encrypted keys.

configs/certs/server.csr.pem

@@ -1,16 +1,8 @@
 -----BEGIN CERTIFICATE REQUEST-----
-MIICfzCCAWcCAQAwOjEYMBYGA1UEAwwPbGludXgtcGF0Y2gtYXBpMREwDwYDVQQK
-DAhJbnRlcm5hbDELMAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
-ggEKAoIBAQCu+RZd6OHxdGJdI+C9rS8rowzsYF/qr3p6+Yvp9ySvBzJ20TVWQSrK
-Fo1VcDgg7rkTYuRxzxehO0R7pTkxnWqLY6VAA39w5nyVzTwFPv7UovdAZx/U7hnJ
-Zj7ndtxuqYk1tkx94NLjYXUCWqy48/tKQXobQh3qXeQ6HfwFSI5xpy61quQBZkJz
-VAatcOv/fhn3K+TrgBaKKkXFNQ3jjKhzrH3Z0son1+GNyhHvQlvCJ+jdWDpzDvSP
-XpqEDmxCQvdBdzGVAPrv3fmBMyOQFnHOTHmKtJ806jBFsYEUwnXKA4/xtaihl1OL
-bz85Z6MicH1PwTo4v0Z7ngIcyoxlgX/RAgMBAAGgADANBgkqhkiG9w0BAQsFAAOC
-AQEAPaBJ7ryKBUuKoUGsgb+fc9GIbGomCbWZnPFx3ZJcUZfeb4/Qi1glhe1GiiUt
-np5x0cjgw5he6zd13lgylglsYrSHEJDV2MqVoHqCwFH+m+ODnZvnQkrgxW4t+JEK
-wEwp0dRGLXsshDPWg5Xe/SaFBfvuCWEkWkcQ4NYwg5SOVn0TCAVy2VKmdDW1KHtf
-GkqHdUiIs5FX6kXIMryQpIG6OXyJCQ3pGv+kSlfaeobnqUUASWwBAaubZBxnqTIl
-Daj2End8iYQ9Fiv7z0YFxJrULSt5qhtRivmUHjSOyv0tlPs+aG9mP9j14ND2/ZIA
-ihOZrIUTTxaaVL9IxIVnTt7tFw==
+MIH1MIGcAgEAMDoxGDAWBgNVBAMMD2xpbnV4LXBhdGNoLWFwaTERMA8GA1UECgwI
+SW50ZXJuYWwxCzAJBgNVBAYTAlVTMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE
+C32xU18H3OljGW+wQUesT1qSB+bp5cCkNW9rfpv7wjr79eHriZkQ8EgrdVAK9Zw0
+fZJNdd4LyekDGXiQU/qAJ6AAMAoGCCqGSM49BAMCA0gAMEUCIQDf7FSy4YiZvWkj
+G9BgdSPTcIq8VYSGm7nnXprD8u1ZTwIgO6/5jH72reiCaaMm62X1Vrpc+8SDMVtO
++dlP4dZ+BM8=
 -----END CERTIFICATE REQUEST-----