Makes it harder for a compromised certificate to escape revocation by
renewing itself faster than it can be identified and revoked.

TODO:
- fix tests
- coverage
- maybe just refuse to renew any cert more than once, to prevent
  "lineage forks" without introducing such new deadline ? (probably not
  a good idea, losing one's certificate happens and should not cause
  such punishment)
- only enable for CAU certificates ?
- distinguish issuance tracking between renewal and user issuance ?
- auto-revoke certificates issued by renewal, but not those issued by user
  cert ?
- 10 days is way too long. above an hour it will get in the way, and
  revoking multiple should not take too long... if there was a way to
  recognise serials (cf. previous commit)