Previous versions used a bogus /etc/ssl/blacklisted setup to manage the
blacklist, which had a number of issues. Most notably, certctl blacklist
could not possibly work as the next rehash would remove it from
/etc/ssl/blacklisted if it wasn't added to one of the source directories
that generate it.
This is basically just a certctl concept anyways, since applications will
not honor it. Replace it with a tempdir that we'll hash the blacklist into
as-needed (for more efficient lookups).
Additionally, add in a /usr/local/share/certs/blacklisted that
certctl blacklist will install certs into. certctl unblacklist will
search all of the paths we can have them at and remove all matching certs
that it finds.