Put each PEM in its own file, remove expiring one

[zachmargolis]

I realized that #189 put 3 certs in one PEM file. And one of those was still expiring in 30 days

This PR

1. splits the p7b into separate PEMs (via script, also coming soon to a handbook near you)

    openssl pkcs7 -print_certs  -in "$p7b_path" -inform der | ruby -ropenssl -e 'STDIN.read.split("\n\n").each_with_index { |c, i| subject = OpenSSL::X509::Certificate.new(c).subject.to_s(OpenSSL::X509::Name::COMPAT); File.open("config/certs/#{subject} #{"%02d" % i}.pem", "w") { |f| f.puts c } }'

2. removes the one invalid cert
   • Also update certs:remove_invalid task to be able to delete future expiring certs

There's a little bit of diff noise because the numbering system of the script just uses the order of the certs in the PEM file which doesn't match the order of the certs we have in source control already