Thanks for the comment and contributions!
I agree, the current model isn't that great - I understand the need for a widely-accepted set of root CAs for the modern web to work, but the ability to add new CAs for trusted peers is essential. Unfortunately we're starting to see places where unofficial CAs aren't as trusted - eg if you install your CA in an Android device, you'll get a "Network may be monitored" warning every time you turn it on.
Exactly what I needed. Awesome! Thank you.
I don't really like the CA model, and believe anyone should be able to setup its own CA, just like GPG keys. Peers should be able to trust the CA's they want easily.