Tidy and revoke error out on certificates with duplicate extension

[Garagoth]

Describe the bug
Trying to revoke certain certificates or run tidy on PKI ends with error and process is interrupted:

unable to parse stored certificate with serial \"06-e0-83-88-22-be-91-7f-8d-07-2e-21-35-01-f1-66-95-a0-de-35\": x509: certificate contains duplicate extensions

I think it was fixed with #16700, but that only fixes, as far as I understand, creation of certificates, and has nothing to do with existing certificates.
All certificates in this PKI were created the same, using either /v1/pki/sign-verbatim on CSR or using /v1/pki/issue/client_cert.role

To Reproduce
Steps to reproduce the behavior - not sure now?
Those certificates were created on Vault version 1.12.2 or earlier, we are now on 1.15.6

Expected behavior
Tidy process completes simply deleting incorrect certificates (especially since those are already expired). Revoking such certificate might be problematic, but instead I would like to simply be able to delete offending entities.

Environment:

• Vault Server Version (retrieve with vault status): 1.15.6
• Vault CLI Version (retrieve with vault version): Vault v1.15.6 (615cf6f), built 2024-02-28T17:07:34Z
• Server Operating System/Architecture: Ubuntu 22.04, x86_64

Vault server configuration file(s):

# Paste your Vault config here.
# Be sure to scrub any sensitive values

client_cert.role:

{
  "allow_any_name": true,
  "allow_bare_domains": false,
  "allow_glob_domains": false,
  "allow_ip_sans": true,
  "allow_localhost": false,
  "allow_subdomains": true,
  "allow_token_displayname": false,
  "allow_wildcard_certificates": true,
  "allowed_domains": [
    "*"
  ],
  "allowed_domains_template": false,
  "allowed_other_sans": [],
  "allowed_serial_numbers": [],
  "allowed_uri_sans": [],
  "allowed_uri_sans_template": false,
  "allowed_user_ids": null,
  "basic_constraints_valid_for_non_ca": false,
  "client_flag": true,
  "cn_validations": [
    "email",
    "hostname"
  ],
  "code_signing_flag": false,
  "country": [
    "PL"
  ],
  "email_protection_flag": false,
  "enforce_hostnames": false,
  "ext_key_usage": [],
  "ext_key_usage_oids": [],
  "generate_lease": false,
  "issuer_ref": "v2",
  "key_bits": 4096,
  "key_type": "rsa",
  "key_usage": [
    "DigitalSignature",
    "KeyAgreement",
    "KeyEncipherment"
  ],
  "locality": [],
  "max_ttl": 0,
  "no_store": false,
  "not_after": "",
  "not_before_duration": 30,
  "organization": [],
  "ou": [],
  "policy_identifiers": [],
  "postal_code": [],
  "province": [],
  "require_cn": true,
  "server_flag": false,
  "signature_bits": 256,
  "street_address": [],
  "ttl": 31536000,
  "use_csr_common_name": false,
  "use_csr_sans": true,
  "use_pss": false
}

Is there any way to delete those certificates? Tidy process for us errors on checking entry 67 of 43259, I think I could iterate over all certificates manually, check using openssl if they have duplicated extensions and delete them, but I cannot find a way to delete certificate.