Rework how we clean up after rekeys with NSS
Change what we do when saving a certificate to an NSS database to more
closely match expectations: instead of fiddling with the key's nickname,
which is basically unused except by us, remove nicknames from keys after
we've gotten a certificate using them.
We already do the "look for a key that matches a certificate with the
specified nickname" dance elsewhere, so doing so doesn't harm us during
subsequent renewal or information retrieval attempts, but it lets the
output of 'certutil -K' look the same, give or take the order in which
keys are printed.
This also fixes handling of the cases where we attempt a rekey but the
CA gives us a certificate that uses our old key - we add the candidate
key to the list of keys we'll either unname or remove, so it either
becomes an orphan key (if we're preserving keys in general) or gets
removed.