Don't require certificates to have unique ipaCertSubject
    
    In the wild a public CA issued a new subordinate CA certificate
    with an identical subject to another, with a new private key.
    This was uninstallable using ipa-cacert-manage because it would
    fail with "subject public key info mismatch" during verification
    because a different certificate with the same subject but
    different public key was installed.
    
    I'm not sure of the reasoning to prevent this situation but I
    see it as giving users flexibility. This may be hurtful to them
    but they can always remove any affected certs.
    
    This is backwards compatible with older releases from the client
    perspective. Older servers will choke on the duplicates and
    won't be able to manage these.
    
    A new serial number option is added for displaying the list of
    certificates and for use when deleting one with a duplicate subject.
    
    ipa-cacert-manage delete on systems without this patch will
    successfully remove ALL of the requested certificates. There is no
    way to distinguish. At least it won't break anything and the
    deleted certificates can be re-added.
    
    Fixes: https://pagure.io/freeipa/issue/9652
    
    Signed-off-by: Rob Crittenden <rcritten@redhat.com>
    Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
    Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>