Graceful handling of locked accounts
If a valid certificate exists, but it doesn't work (due to the CA mis-configured or the account otherwise locked) Strudel2 will enter an endless cycle of error messages.
We need a more graceful/informative failure mode