Re-order the way the SCEP signing and CA certs are collected
    
    Put cacert into the ca store, the racert at the top of the
    othercerts list. Then we parse certs, placing all ca certs
    we find into the ca store, and all other certs we find after
    the racert.
    
    Variables are renamed to match the cm_pkcs7_parse() and
    cm_pkcs7_verify_signed() calls.
    
    A special case for IPA (dogtag) was added because dogtag
    uses its CA cert to sign the PKCS7 so it is both an RA cert
    and a CA cert. If a self-signed CA is detected and no other
    certs are provided then the CA is treated as the RA.
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1808052
    
    Graham Leggett did the majority of the work on this patch.