Use new certmonger locking to prevent NSS database corruption.
    
    dogtag opens its NSS database in read/write mode so we need to be very
    careful during renewal that we don't also open it up read/write. We
    basically need to serialize access to the database. certmonger does the
    majority of this work via internal locking from the point where it generates
    a new key/submits a rewewal through the pre_save and releases the lock after
    the post_save command. This lock is held per NSS database so we're save
    from certmonger. dogtag needs to be shutdown in the pre_save state so
    certmonger can safely add the certificate and we can manipulate trust
    in the post_save command.
    
    Fix a number of bugs in renewal. The CA wasn't actually being restarted
    at all due to a naming change upstream. In python we need to reference
    services using python-ish names but the service is pki-cad. We need a
    translation for non-Fedora systems as well.
    
    Update the CA ou=People entry when he CA subsystem certificate is
    renewed. This certificate is used as an identity certificate to bind
    to the DS instance.
    
    https://fedorahosted.org/freeipa/ticket/3292
    https://fedorahosted.org/freeipa/ticket/3322