MFS r361310: MFC r361022-361023, 361148: certctl(8) fixes

r361022: certctl(8): don't completely nuke $CERTDESTDIR

It's been reported/noted that a well-timed certctl rehash will completely
obliterate $CERTDESTDIR, which may get used by ports or system
administrators. While we can't guarantee the certctl semantics when other
non-certctl-controlled bits live here, we should make some amount of effort
to play nice.

Pruning all existing links, which we'll subsequently rebuild as needed, is
sufficient for our needs. This can still be destructive, but it's perhaps
less likely to cause issues.

I also note that we should probably be pruning /etc/ssl/blacklisted upon
rehash as well.

r361023: certctl: follow-up to r361022, prune blacklist as well

Otherwise, removals from the blacklist may not get processed as they should.

While we're here, restructure these to not bother with mkdir(1) if we've
already tested them to exist.

r361148: certctl: don't fall over flat with relative DESTDIR

Up until now, all of our DESTDIR use has been with absolute paths. It turned
out that the cd in/out dance we do here breaks us down later on, as the
relative path no longer resolves.

Convert EXTENSIONS to an ERE that we'll use to grep ls -1 of the dir we're
inspecting, rather than cd'ing into it and globbing it up.

Approved by: re (kib)