Be more clear about selfsign option

Installing IPA server --selfsign option is currently a one-way ticket
to server with limited certificate capabilities. Make sure that user
really want to install it by implementing the following steps:

- moving the option to the bottom of certificate options section
- adding a warning to ipa-server-install man page
- adding a warning to ipa-server-install help
- adding a warning to ipa-server-install configuration summary
  when one runs ipa-server-install

https://fedorahosted.org/freeipa/ticket/1908

install/tools/man/ipa-server-install.1

@@ -72,9 +72,6 @@ An unattended installation that will never prompt for user input
 
 .SS "CERTIFICATE SYSTEM OPTIONS"
 .TP
-\fB\-\-selfsign\fR
-Configure a self\-signed CA instance for issuing server certificates instead of using dogtag for certificates
-.TP
 \fB\-\-external\-ca\fR
 Generate a CSR to be signed by an external CA
 .TP
@@ -107,6 +104,11 @@ The password of the Kerberos KDC PKCS#12 file
 .TP
 \fB\-\-subject\fR=\fISUBJECT\fR
 The certificate subject base (default O=REALM.NAME)
+.TP
+\fB\-\-selfsign\fR
+Configure a self\-signed CA instance for issuing server certificates instead of using dogtag for certificates.
+
+WARNING: Using this option will restrain the server certificate management capabilities. Please, keep in mind that there is no way to change this setting later.
 
 .SS "DNS OPTIONS"
 .TP