caroot: properly remove old distrusted roots

The proper procedure was not followed in r364943; all of these that were
deleted should have instead been moved over to the blacklist so that certctl
can DTRT.

Users must still certctl rehash after this, but this should generally be
done by one of mergemaster/etcupdate/freebsd-update/pkgbase already; note
that freebsd-update doesn't come into play for this particular update, as
these have not yet made it into a release.

Future work (after svn -> git) will likely change the script that updatecert
invokes to facilitate the process, rather than trusting that kevans or
whomever updates in the future will remember.

Reported by: Helge Oldach <freebsd oldach net>
MFC after: 3 days