Title: #2919: Add ipa-cert-fix tool
The ipa-cert-fix tool wraps `pki-server cert-fix`, performing additional
certificate requests for non-Dogtag IPA certificates and performing
additional actions. In particular:
- Run cert-fix with arguments particular to the IPA deployment.
- Update IPA RA certificate in the ipara user entry (if renewed).
- Add shared certificates (if renewed) to the ca_renewal LDAP
container for replication.
- Become the CA renewal master if shared certificates were renewed.
This ensures other CA replicas, including the previous CA renewal
master if not the current host, pick up those new certificates
when Certmonger attempts to renew them.
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/2919/head:pr2919
git checkout pr2919