Add Subject Key Identifier to CA cert validity check
CA certificates MUST have the Subject Key Identifier extension to
facilitiate certification path construction. Not having this
extension on the IPA CA certificate will cause failures in Dogtag
during signing; it tries to copy the CA's Subject Key Identifier to
the new certificate's Authority Key Identifier extension, which
fails.
When installing an externally-signed CA, check that the Subject Key
Identifier extension is present in the CA certificate.
Fixes: https://pagure.io/freeipa/issue/6976
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>