Debian: write out only one CA certificate per file
    
    ca-certificates populates /etc/ssl/certs with symlinks to its input
    files and then runs 'openssl rehash' to create the symlinks that libssl
    uses to look up a CA certificate to see if it is trused.
    
    'openssl rehash' ignores any files that contain more than one
    certificate: <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=945274>.
    
    With this change, we write out trusted CA certificates to
    /usr/local/share/ca-certificates/ipa-ca, one certificate per file.
    
    The logic that decides whether to reload the store is moved up into the
    original `insert_ca_certs_into_systemwide_ca_store` and
    `remove_ca_certs_from_systemwide_ca_store` methods. These methods now
    also handle any exceptions that may be thrown while updating the store.
    
    The functions that actually manipulate the store are factored out into
    new `platform_{insert,remove}_ca_certs` methods, which implementations
    must override.
    
    These new methods also orchestrate the cleanup of deprecated files (such
    as `/etc/pki/ca-trust/source/anchors/ipa-ca.crt`), rather than having
    the cleanup code be included in the same method that creates
    `/etc/pki/ca-trust/source/ipa.p11-kit`.
    
    As well as creating `/usr/local/share/ca-certificates/ipa-ca`, Debian
    systems will now also have
    `/usr/local/share/ca-certificates/ipa.p11-kit` be created. Note that
    `p11-kit` in Debian does not use this file.
    
    Fixes: https://pagure.io/freeipa/issue/8106
    Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
    Reviewed-By: Timo Aaltonen <tjaalton@debian.org>
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>