certdb: use custom object for trust flags

Replace trust flag strings with `TrustFlags` objects. The `TrustFlags`
class encapsulates `certstore` key policy and has an additional flag
indicating the presence of a private key.

https://pagure.io/freeipa/issue/6831

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>

ipaserver/install/ipa_cacert_manage.py

@@ -26,7 +26,9 @@ import gssapi
 
 from ipalib.install import certmonger, certstore
 from ipapython import admintool, ipautil
-from ipapython.certdb import EMPTY_TRUST_FLAGS, EXTERNAL_CA_TRUST_FLAGS
+from ipapython.certdb import (EMPTY_TRUST_FLAGS,
+                              EXTERNAL_CA_TRUST_FLAGS,
+                              parse_trust_flags)
 from ipapython.dn import DN
 from ipaplatform.paths import paths
 from ipalib import api, errors, x509
@@ -366,6 +368,8 @@ class CACertManage(admintool.AdminTool):
             len(trust_flags.split(',')) != 3):
             raise admintool.ScriptError("Invalid trust flags")
 
+        trust_flags = parse_trust_flags(trust_flags)
+
         try:
             certstore.put_ca_cert_nss(
                 api.Backend.ldap2, api.env.basedn, cert, nickname, trust_flags)