Make user https push certificates revokable
Since users now have a UUID assigned at creation time,
a subca is created for each user which includes this UUID
and the actual push certificates are issued by it.
When a user is removed, the user's subca can be revoked.
If a new user with the same name is added, that user will
have a different UUID and therefore the subca will be
different and not be accidentally considered revoked even
though the prior-user-with-the-same-name's subca has been
revoked.
Certificates are revoked by serial number and making sure
the name is different (by including the UUID) will
guarantee that a new-user-by-the-same-name-as-a-removed-user
will have a subca with a different serial number.