b28dbc0 Rework how we clean up after rekeys with NSS

Authored and Committed by nalin 4 years ago
    Rework how we clean up after rekeys with NSS
    
    Change what we do when saving a certificate to an NSS database to more
    closely match expectations: instead of fiddling with the key's nickname,
    which is basically unused except by us, remove nicknames from keys after
    we've gotten a certificate using them.
    
    We already do the "look for a key that matches a certificate with the
    specified nickname" dance elsewhere, so doing so doesn't harm us during
    subsequent renewal or information retrieval attempts, but it lets the
    output of 'certutil -K' look the same, give or take the order in which
    keys are printed.
    
    This also fixes handling of the cases where we attempt a rekey but the
    CA gives us a certificate that uses our old key - we add the candidate
    key to the list of keys we'll either unname or remove, so it either
    becomes an orphan key (if we're preserving keys in general) or gets
    removed.
    
        
file modified
+133 -109
file modified
+18 -18
file modified
+7 -4