Re-order the way the SCEP signing and CA certs are collected
Put cacert into the ca store, the racert at the top of the
othercerts list. Then we parse certs, placing all ca certs
we find into the ca store, and all other certs we find after
the racert.
Variables are renamed to match the cm_pkcs7_parse() and
cm_pkcs7_verify_signed() calls.
A special case for IPA (dogtag) was added because dogtag
uses its CA cert to sign the PKCS7 so it is both an RA cert
and a CA cert. If a self-signed CA is detected and no other
certs are provided then the CA is treated as the RA.
https://bugzilla.redhat.com/show_bug.cgi?id=1808052
Graham Leggett did the majority of the work on this patch.