Indicate rough expected capabilities for generated secret keys

sop generate basically says "make a secret key" but maybe we need to document that the certificate as a whole needs to have at least certification and signing and encryption capabilities.