Most of the settings complained about are behind an "Advanced" tab anyways. If you really want to keep them from users, stick a "warning: dragons" on it or document the hell out of putting the ability to enable the advanced tab in about:config.

I'm really, really uncomfortable with the idea of an add on being the only way to configure certificates.