sysutils/vm-bhyve: add security/ca_root_nss as a RUN_DEPENDS

"vm iso" uses fetch(1) to download iso files. A major source of iso files
is download.freebsd.org. If no other source of certificates has been
installed, fetch will use OpenSSL's default CA cert and path settings, but
those don't recognize the Let's Encrypt certificate used by
download.freebsd.org.

Installing security/ca_root_nss provides an alternative bundle of root
certificates, which do trust download.freebsd.org. Since
download.freebsd.org is so critically important to most vm-bhyve users,
security/ca_root_nss should be a RUN_DEPENDS.

PR: 222109
Approved by: churchers@gmail.com (maintainer timeout)
Sponsored by: Spectra Logic Corp