certdb: validate certificate signatures
    
    When verifying a CA certificate, validate its signature.  This
    causes FreeIPA to reject certificate chains with bad signatures,
    signatures using unacceptable algorithms, or certificates with
    unacceptable key sizes.  The '-e' option to 'certutil -V' was the
    missing ingredient.
    
    An an example of a problem prevented by this change, a certifiate
    signed by a 1024-bit intermediate CA, would previously have been
    imported by ipa-cacert-manage, but would cause Dogtag startup
    failure due to failing self-test.  With this change,
    ipa-cacert-manage will reject the certificate:
    
      # ipa-cacert-manage renew --external-cert-file /tmp/ipa.p7
      Importing the renewed CA certificate, please wait
      CA certificate CN=Certificate Authority,O=IPA.LOCAL 201809261455
      in /tmp/ipa.p7 is not valid: certutil: certificate is invalid: The
      certificate was signed using a signature algorithm that is
      disabled because it is not secure.
    
    Fixes: https://pagure.io/freeipa/issue/7761
    Reviewed-By: Christian Heimes <cheimes@redhat.com>