Configure PKIXRevocationChecker to only check end-entity certificates and
use soft-fail for unavailable revocation information.

This attempts to balance security and reliability:
- Focusing revocation checks on leaf certificates, where revocation is most critical, avoiding issues with missing root certificate CRL distribution points
- Preventing validation failures when OCSP/CRL servers are unreachable or when revocation information isn't available for some certificates
- Avoiding common issues with intermediate/root certificate CRL checking

Allow administrators to configure revocation checking behaviour. If Openfire is operating in a closed, tightly controlled network, an administrator can reconfigure the balance between security and reliability.

Configure Java and BouncyCastle to enable CRL Distribution Points (CRLDP) checking.

Openfire will now attempt to download CRLs from the URLs specified in the certificate's CRL Distribution Points extension, regardless of whether it's using BC or the Java built-in certificate validation.

Tightening up the default revocation checking config now that we can check revocation status of intermediate certificates via CRLDPs.