Handle certificate re-request/renewal in `cr`

At present every incoming request to `cr` generates  a new certificate and registration. This registration logic needs to be improved when devices re-request a certificate (renewal, etc.), and also to ensure that UUIDs for incoming requests are not on the blocklist (at which point the request should be rejected).