This fixes several issues that came up via BSI's Certification Path
Validation Test Tool (CPT):
1) In compliance with RFC 4945, section 5.1.3.2, we now enforce that a
certificate used for IKE authentication either does not contain a keyUsage
extension (like the ones produced by pki --issue) or that they include
digitalSignature or nonRepudiation.
2) CRLs that are not yet valid are now rejected as that could be a
problem in scenarios where expired certificates are removed from CRLs and
the clock on the host doing the revocation check is trailing behind that
of the host issuing CRLs.
3) Results other than revocation (e.g. a skipped check because the CRL
couldn't be fetched) are now stored also for intermediate CA certificates
and not only for end-entity certificates, so a strict CRL policy can be
enforced in such cases.