Onboarding: center CTA, move CA download into install section

pikit-web/onboarding/index.html

@@ -19,13 +19,6 @@
         can manage Pi-Kit safely.
       </p>
 
-      <section class="actions">
-        <button id="continueBtn">Continue to secure dashboard</button>
-        <a class="ghost" id="downloadCa" href="http://pikit.local/assets/pikit-ca.crt" download>
-          Download Pi-Kit CA
-        </a>
-      </section>
-
       <section class="steps">
         <h3>Why switch to HTTPS?</h3>
         <ul>
@@ -46,7 +39,12 @@
 
       <section class="steps">
         <h3>Install the Pi-Kit CA (recommended, one-time)</h3>
-        <p>This removes future warnings for the Pi-Kit dashboard.</p>
+        <div class="ca-download">
+          <p>This removes future warnings for the Pi-Kit dashboard.</p>
+          <a class="ghost download-inline" id="downloadCa" href="http://pikit.local/assets/pikit-ca.crt" download>
+            Download Pi-Kit CA
+          </a>
+        </div>
         <details>
           <summary>Windows</summary>
           <p>Run <strong>mmc</strong> → Add/Remove Snap-in → Certificates (Computer) → Trusted Root CAs → Import <em>pikit-ca.crt</em>.</p>
@@ -77,6 +75,10 @@
         </details>
       </section>
 
+      <section class="actions">
+        <button id="continueBtn">Go to secure dashboard</button>
+      </section>
+
       <p class="footnote">Once trusted, this page will auto-forward you to the secure dashboard.</p>
     </main>