Rework which keys we prefer for SCEP
Rework which data we generate, so that it's easier for helpers to decide
what to send to the server:
* CERTMONGER_PKCSREQ:
Signed with an old/only key and a previously-issued certificate,
or using the minicert if there's no new key.
* CERTMONGER_PKCSREQ_REKEY:
Signed with an new key and the minicert.
* CERTMONGER_GETCERTINITIAL:
Signed with an old/only key and a previously-issued certificate,
or using the minicert if there's no new key.
* CERTMONGER_GETCERTINITIAL_REKEY:
Signed with an new key and the minicert.