Tidy errors out on certificates with duplicate extension (Vault #27219)

[fatima2003]

This is an issue reported on vault issues/27219 by @Garagoth.

Description
When a certificate with duplicate extensions exists and tidy is run, the process fails:

unable to parse stored certificate with serial \"06-e0-83-88-22-be-91-7f-8d-07-2e-21-35-01-f1-66-95-a0-de-35\": x509: certificate contains duplicate extensions

This is the line catching the failure:

openbao/builtin/logical/pki/path_tidy.go

Line 875 in c920129

return fmt.Errorf("unable to parse stored certificate with serial %q: %w", serial, err)

PR 16700 solved the problem of creating these invalid certificates but there's no way to get rid of them.

To Reproduce

1. Have a certificate with duplicate extensions.
2. Run tidy process.

Expected behavior
Since certificates with duplicate extensions are deemed invalid in RFC 5290, Section 4.2, a way to delete these invalid certificates should exist.

If the tidy operation is run with certificates with extra extensions, they should be skipped OR the tidy operation stops and a warning which includes the command to delete them should be thrown.

---

I'm working on the fix for this :)