Warn or refuse to import invalid certificates

[SebastianOpriel]

One is able to import a certificate which is no longer valid via API: PUT call on '/api/v1/config/clients/:client_id/keys'
see: https://github.com/Fraunhofer-AISEC/omejdn-server/blob/master/omejdn.rb#L753

To avoid mistakes and long debugging sessions, the API shall refuse to import such an invalid certificate or at least provide a warning. Maybe we can do something with another parameter like Boolean force_import

[schanzen]

Sounds reasonable. Expirations may bite us later: It could be that we want to provision clients ahead of time with certificates not yet valid ("Not Before" field).
So the question is: How to define "validity". Do we need to check against a trust store?
At least the "Not After" field should be checked, since we do that upon authorization.

[bellebaum]

We probably also want to have a standardized error message format for the API, just like OAuth errors have a fixed format.
Currently, the Admin- and Selfservice APIs provide next to no error checking besides authorization.