Free server certificate (x509cert) after SSL_CTX_use_certificate in OpenSSLContext

SSL_CTX_use_certificate makes an internal copy, so the caller should free
the original. This is the same class of bug fixed by commit 8ef5efc for
client CA certificates after SSL_CTX_add_client_CA.

X509_free is added on:
- early return when private key parsing fails (x509cert already allocated)
- error path when SSL_CTX_use_certificate fails
- success path after SSL_CTX_use_certificate (copy already made internally)

Co-authored-by: markt-asf <markt@apache.org>

Author: Copilot

java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java

@@ -1248,12 +1248,15 @@ public boolean addCertificate(SSLHostConfigCertificate certificate, Arena localA
                         PEM_read_bio_PrivateKey(keyBIO, MemorySegment.NULL, MemorySegment.NULL, MemorySegment.NULL);
                 if (MemorySegment.NULL.equals(privateKeyAddress)) {
                     logLastError("openssl.errorLoadingPrivateKey");
+                    X509_free(x509cert);
                     return false;
                 }
                 if (SSL_CTX_use_certificate(state.sslCtx, x509cert) <= 0) {
                     logLastError("openssl.errorLoadingCertificate");
+                    X509_free(x509cert);
                     return false;
                 }
+                X509_free(x509cert);
                 if (SSL_CTX_use_PrivateKey(state.sslCtx, privateKeyAddress) <= 0) {
                     logLastError("openssl.errorLoadingPrivateKey");
                     return false;