NSSWrappedCertDB: accept optional symmetric algorithm
    
    Add support for Custodia ca_wrapped clients to specify the desired
    symmetric encryption algorithm for exporting the wrapped signing key
    (this mechanism is used for LWCA key replication).  If not
    specified, we must assume that the client has an older Dogtag
    version that can only import keys wrapped with DES-EDE3-CBC
    encryption.
    
    The selected algorithm gets passed to the 'nsswrappedcert' handler,
    which in turn passes it to the 'pki ca-authority-key-export' command
    (which is part of Dogtag).
    
    Client-side changes will occur in a subsequent commit.
    
    Part of: https://pagure.io/freeipa/issue/8020
    
    Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>