Great blog Florian. Note you can also use the self-signed cert on the MM as the CA cert, and if hardware MD they can use the factory cert.
crypto pki export ca-cert pem self-signed
This will print out the cert in pem format. Copy to a file. In this example I have called it sc-root-ca.
At the folder level import this cert as a TrustedCA.
Go to the device level in cli and apply the following masterip config.
masterip <master-ip> ipsec-custom-cert master-mac-1-c <MM-ma> ca-cert sc-root-ca server-cert factory-cert interface vlan <controller-vlan>
On MM level you need to add the node.
local-custom-cert local-mac <MD-mac> ca-cert factory-ca-cert server-cert self-signed-field-cert