fix(gateway): harden self-signed cert persistence and config validation

src/ZB.MOM.WW.MxGateway.Server/Configuration/GatewayOptionsValidator.cs

@@ -274,6 +274,11 @@ public sealed class GatewayOptionsValidator : IValidateOptions<GatewayOptions>
                 $"MxGateway:Tls:ValidityYears must be between {MinimumCertValidityYears} and {MaximumCertValidityYears}.");
         }
 
+        // The default is non-blank, so this only catches an explicitly-blanked path.
+        AddIfBlank(
+            options.SelfSignedCertPath,
+            "MxGateway:Tls:SelfSignedCertPath must not be blank.",
+            failures);
         AddIfInvalidPath(
             options.SelfSignedCertPath,
             "MxGateway:Tls:SelfSignedCertPath must be a valid filesystem path.",