fdca2d8
- only prune an old cert if *both* its not-before and not-after are before the respective fields in the new one, because it feels safer