caroot: Ignore soft distrust of server CA certificates after 398 days

Mozilla introduced the field CKA_NSS_SERVER_DISTRUST_AFTER which indicates that
a CA certificate will be distrusted in the future before its NotAfter time.
This means that the CA stops issuing new certificates, but previous ones are
still valid, but at most for 398 days after the distrust date.

See also:

• https://bugzilla.mozilla.org/show_bug.cgi?id=1465613
• https://github.com/Lukasa/mkcert/issues/19
• https://gitlab.alpinelinux.org/alpine/ca-certificates/-/merge_requests/16
• https://github.com/curl/curl/commit/448df98d9280b3290ecf63e5fc9452d487f41a7c

Tested by: michaelo
Reviewed by: emaste
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D49075

(cherry picked from commit 457c03b397c80d44da92684d417a58b3ca1fed02)