docs: add step-ca and OpenSSL CA to V2 roadmap, fix F5/IIS status

- Added step-ca and OpenSSL/Custom CA as planned V2 issuer connectors
  across README, architecture, connectors, and demo-advanced docs
- Fixed F5 BIG-IP and IIS target status from "Implemented" to
  "Interface only" — both are stubs with mapped-out flows but no
  actual API calls yet
- Updated all diagrams and tables to be consistent across docs
- DNS-01, step-ca, OpenSSL, F5, IIS all listed under V2.0 roadmap

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

docs/demo-advanced.md

@@ -116,7 +116,7 @@ You should see:
 
 The result is a structurally valid X.509 certificate — browsers won't trust it (no root CA in their trust store), but it exercises the exact same code paths that a production ACME or Vault issuer would.
 
-**Why pluggable issuers:** Different organizations use different CAs. Some use Let's Encrypt (ACME protocol), some use internal PKI (Vault, ADCS), some use commercial CAs (DigiCert, Sectigo). The connector interface means certctl doesn't care — it calls `IssueCertificate()` and gets back a signed cert regardless of the backend.
+**Why pluggable issuers:** Different organizations use different CAs. Some use Let's Encrypt (ACME protocol), some use step-ca or internal PKI (Vault, ADCS), some use commercial CAs (DigiCert, Sectigo), and some have custom OpenSSL-based workflows. The connector interface means certctl doesn't care — it calls `IssueCertificate()` and gets back a signed cert regardless of the backend. V1 ships with Local CA and ACME (HTTP-01); step-ca, OpenSSL/custom CA, Vault PKI, and DigiCert are planned for V2.
 
 ```mermaid
 flowchart TD
@@ -129,8 +129,10 @@ flowchart TD
 
     A --> E["Local CA\n(crypto/x509)"]
     A --> F["ACME\n(Let's Encrypt)"]
-    A --> G["Vault PKI\n(future)"]
-    A --> H["DigiCert API\n(future)"]
+    A --> G["step-ca\n(planned)"]
+    A --> H["OpenSSL / Custom CA\n(planned)"]
+    A --> I["Vault PKI\n(planned)"]
+    A --> J["DigiCert API\n(planned)"]
 ```
 
 ---