Use PyCA crypto provider for KRAClient
    
    The Dogtag KRA backend now uses CryptographyCryptoProvider instead of
    NSSCryptoProvider for KRAClient connections. The
    CryptographyCryptoProvider uses PyCA cryptography to provide wrapping
    and unwrapping. The change will allow Dogtag to remove the
    NSSCryptoProvider and drop python-nss as a dependency.
    
    The code in ipaserver.plugins.dogtag creates a Certificate object to
    work around a bug in Dogtag. Dogtag supports paths but passes the wrong
    type to PyCA cryptography.
    
    Fixes: https://pagure.io/freeipa/issue/8814
    See: https://github.com/dogtagpki/pki/issues/3499
    Signed-off-by: Christian Heimes <cheimes@redhat.com>
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>