Resolves: RHEL-50293
- update-ca-trust: copy directory-hash symlinks to /etc/pki/tls/certs
- Remove /etc/pki/tls/cert.pem symlink so that it isn't loaded by default
Add the --output option to update-ca-trust so that trust stores can be
written to a different output directory. This is useful to prepare trust
store directories that can be used in containers.
Additionally, fix running update-ca-trust as non-root user
(specifically, without CAP_DAC_OVERRIDE) which was previously required
to create two symbolic links.
Quote all uses of $DEST since a user-specified path could contain
spaces.
Resolves: rhbz#2241240
