Resolves: pki trac ticket #850,1247,1536,2460,2486,2498,2500,2510,2513,2523
    
    - PKI TRAC Ticket #850 - JSS certificate validation function does not pass up
      exact errors from NSS (edewata)
      (Failed to start pki-tomcatd Service - "ipa-cacert-manage renew" failed?)
    - PKI TRAC Ticket #1247 - Better error message when try to renew a certificate
      that expires outside renewal grace period (alee)
    - PKI TRAC Ticket #1536 - CA EE: Submit caUserCert request without uid does
      not show proper error message (alee)
    - PKI TRAC Ticket #2460 - Typo in comment line of UserPwdDirAuthentication.java
      (edewata)
    - PKI TRAC Ticket #2486 - Automatic recovery of encryption cert is not working
      when a token is physically damaged and a temporary token is issued (jmagne)
    - PKI TRAC Ticket #2498 - Token format with external reg fails when
      op.format.externalRegAddToToken.revokeCert=true (cfu)
    - PKI TRAC Ticket #2500 - Problems with FIPS mode (edewata)
    - PKI TRAC Ticket #2500 - Problems with FIPS mode (edewata)
      (added KRA key recovery via CLI in FIPS mode)
    - PKI TRAC Ticket #2510 - PIN_RESET policy is not giving expected results when
      set on a token (jmagne)
    - PKI TRAC Ticket #2513 - TPS token enrollment fails to setupSecureChannel
      when TPS and TKS security db is on fips mode. (jmagne)
    - Reverted patches associated with
      PKI TRAC Ticket #2523 - Changes to target.agent.approve.list parameter is
      not reflected in the TPS Web UI