Comment 5 for bug 2028683

@bas; yup, good sleuthing! It's a very subtle error, and I don't think the logic is quite correct. Obviously, there is an error in assuming that the 'ca' key is appearing in the data sent from the certificate provider if it's a legacy request. Unpicking this might be a bit complex due to two different methods of requested certificates on the relation.