Support verifying LWCA (SubCA) certmonger requests

[rcritten]

healthcheck doesn't currently expect to see tracked LWCA certificates. These typically have the form of:

Request ID '20231027130916':
        status: MONITORING
        stuck: no
        key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickna
me='caSigningCert cert-pki-ca 9a93fc7f-4246-4986-af45-7d7f85dd136b',token='NSS C
ertificate DB',pin set
        certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='c
aSigningCert cert-pki-ca 9a93fc7f-4246-4986-af45-7d7f85dd136b',token='NSS Certif
icate DB'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=Certificate Authority,O=EXAMPLE.TEST
        subject: CN=test
        issued: 2023-10-27 09:07:04 EDT
        expires: 2043-10-27 08:59:05 EDT
        key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
        profile: caCACert
        pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
        post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningC
ert cert-pki-ca 9a93fc7f-4246-4986-af45-7d7f85dd136b"
        track: yes
        auto-renew: yes

They are currently reported as a warning about an unknown tracked certificate.

We can fetch the CA UUID's from LDAP and build a template request for them so they no longer warn.

[rcritten]

The failure looks like:

  {
    "source": "ipahealthcheck.ipa.certs",
    "check": "IPACertTracking",
    "result": "WARNING",
    "uuid": "4d31e52d-0da7-4434-8da8-2fc4bcae5e25",
    "when": "20231027151337Z",
    "duration": "1.124710",
    "kw": {
      "key": "20231027130916",
      "msg": "certmonger tracking request {key} found and is not expected on an IPA master."
    }
  }

[rcritten]

IPA does not generate a tracking request for subCA's after creation. One needs to run ipa-server-upgrade to add them.