Description of problem:
An IdM object can contain more than one certificate. When you use 'ipa service-show <principal> or 'ipa service-find', both certificates are displayed, but the 'serial' and 'expiry' date shows the data from the old rather than the renewed certificate. This is very confusing.

I suppose the same is also true for host and user objects, but I didn't verify this.

Version-Release number of selected component (if applicable):
ipa-server-4.6.4-10.1ts.el7.x86_64

How reproducible:
Always

Steps to Reproduce:
1.Renew any service certificate
2.Make sure the service entry has more than one certificate attached
3.Call 'ipa service-show <service-principal>

Actual results:
The output shows data that belongs to the old certificate.

Expected results:
The output should show data that belongs to the new certificate.

Additional info: