0708f60 renew_ca_cert: skip removing non-CA certs, fix nickname

Authored and Committed by rcritten 8 months ago
    renew_ca_cert: skip removing non-CA certs, fix nickname
    
    This script deletes all CA certificates so a new chain
    can be loaded. It identified CA certs by those that did
    not have private keys. This change adds the  ca_flags test
    in as well. It is probably sufficient on its own but it
    is left for compatibility.
    
    An HSM-based NSS database when not accessing it with the
    token will not contain the private keys so removing all
    certificates without a private key will remove certificates
    that it shouldn't. The NSS softoken stores the certifcate
    trust so the certificates will be visible but they lack
    private keys because those reside in the HSM. Therefore
    deleting any certificate without a private key removed
    nearly everything.
    
    Preserve the nickname 'caSigningCert cert-pki-ca'. The
    certstore uses the nickame format '{REALM} IPA CA' and
    will replace the PKI-named key if we don't act to
    preserve it.
    
    Fixes: https://pagure.io/freeipa/issue/9273
    
    Signed-off-by: Rob Crittenden <rcritten@redhat.com>
    Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>