There are a number of places in the Certificate methods where we duplicate validation logic that is already done when we parse a certificate. There are a number of reasons for this, mainly because we didn't do a lot of this validation logic in the old encoding/asn1 parser which was replaced.

We should just document that the results of the Certificate methods are only valid if called on Certificates returned from ParseCertificate, since directly constructing Certificates is not intended to be an expected use case. This will allow us to simplify a number of the methods.

cc @FiloSottile