Add new certs to internal token, try harder to remove on renewal
    
    When using a hardware token the certificate will appear twice:
    - on the hardware token
    - on the internal token as a placeholder for trust
    
    When renewing a certificate be sure to put a copy of the new
    certificate onto the internal token to store that trust.
    
    Similarly when a new certificate is added ensure that any old
    certificates with the same nickname are removed. This needs to
    span all tokens.
    
    SEC_DeletePermCertificate() will not necessarily remove the
    certificate on the token it is in so do multiple passes of
    "find the certificate" to ensure all copies are removed.
    
    Fixes: https://pagure.io/certmonger/issue/258
    
    Signed-off-by: Rob Crittenden <rcritten@redhat.com>