Does the same checks as checkCertificatePair and in addition checks that
the sub is not listed in the possible CRL issued by the CA represented by
the anchor.
only for testing! overrides the expiration checking during the cert
loading so that expired certs can be loaded to test the certificate
rejection at the server end.