In the wild a public CA issued a new subordinate CA certificate
with an identical subject to another, with a new private key.
This was uninstallable using ipa-cacert-manage because it would
fail with "subject public key info mismatch" during verification
because a different certificate with the same subject but
different public key was installed.

I'm not sure of the reasoning to prevent this situation but I
see it as giving users flexibility. This may be hurtful to them
but they can always remove any affected certs.

This is backwards compatible with older releases from the client
perspective. Older servers will choke on the duplicates and
won't be able to manage these.

A new serial number option is added for displaying the list of
certificates and for use when deleting one with a duplicate subject.

ipa-cacert-manage delete on systems without this patch will
successfully remove ALL of the requested certificates. There is no
way to distinguish. At least it won't break anything and the
deleted certificates can be re-added.

Fixes: https://pagure.io/freeipa/issue/9652

Signed-off-by: Rob Crittenden <[email protected]>

Use a pre-generated external CA plus two subordinate CA certificates
that use the same subject but have different serial numbers and a
validity period 3years+1day different.

Test that both certificates can be loaded and applied on a system.

If the duplicate subject certificates are not sufficiently
different in validity period, or prior to the this fix,
the test will fail because only one of the duplicately named
subject certificates will be visible: the second one (4097).

Fixes: https://pagure.io/freeipa/issue/9652

Signed-off-by: Rob Crittenden <[email protected]>