caroot: update CA bundle processor

Our current processor was identified as trusting cert not explicitly
marked for SERVER_AUTH, as well as certs that were tagged with
DISTRUST_AFTER.

Update the script to handle both scenarios. This patch was originally
authored by mandree@ for ports, and it was subsequently ported to base
caroot.

(cherry picked from commit c3510c941c0dddd09389915a9395e6f059088bab)