Async enrollment: server-side basic X509 certificate chain check

Check the x509 certificate chain:
- Ensure each certificate is valid
- At most there should 10 items in the chain (cf. https://docs.openssl.org/3.3/man3/SSL_CTX_set_max_cert_list/#notes)
- Reject if some additional items are provided in the intermediate list

(Note this is still not a full certificate chain validation since the root certificate is not checked, which is something for another PR)