Add test cases for CA-reuses-key-on-rekey-request
Run through a case where we request a rekey, but the CA gives us a
certificate that uses our old private key. This could happen if, for
example, the helper asked for a renewal using the old key even though
our intent was to enroll a new key. Make sure that we keep the old key
around when we're using files, and ensure that the old key doesn't get
removed from the NSS database by counting and expecting three: the old
key from our first rekey request, the current key, and the candidate
key.