[alerque]

Anybody can make one.

You can make one on your own computer, give the result to your friends, tell them to connect through you as a proxy, and intercept everything. The tricky part is that browsers are hard coded with a list of a few trusted root certificates to trust. In order for the home baked certificate you just made to do any good, people have to explicitly install it and mark it as trusted. That means you have to distribute your newly minted root certificate and get every end point device to accept it manually.

That's what's so sinister about Kazakhstan's approach: by issuing a governmental mandate for citizens install the certificate they generated, and restricting their internet if they don't, they are effectively bypassing the Internet's current trust system entirely and granting themselves cart-blanche access to all their traffic.