ipa-acme-manage: add certificate/request pruning management
    
    Configures PKI to remove expired certificates and non-resolved
    requests on a schedule.
    
    This is geared towards ACME which can generate a lot of certificates
    over a short period of time but is general purpose. It lives in
    ipa-acme-manage because that is the primary reason for including it.
    
    Random Serial Numbers v3 must be enabled for this to work.
    
    Enabling pruning enables the job scheduler within CS and sets the
    job user as the IPA RA user which has full rights to certificates
    and requests.
    
    Disabling pruning does not disable the job scheduler because the
    tool is stateless. Having the scheduler enabled should not be a
    problem.
    
    A restart of PKI is required to apply any changes. This tool forks
    out to pki-server which does direct writes to CS.cfg. It might
    be easier to use our own tooling for this but this makes the
    integration tighter so we pick up any improvements in PKI.
    
    The "cron" setting is quite limited, taking only integer values
    and *. It does not accept ranges, either - or /.
    
    No error checking is done in PKI when setting a value, only when
    attempting to use it, so some rudimentary validation is done.
    
    Fixes: https://pagure.io/freeipa/issue/9294
    
    Signed-off-by: Rob Crittenden rcritten@redhat.com
    Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>