certctl: follow-up to r361022, prune blacklist as well

Otherwise, removals from the blacklist may not get processed as they should.

While we're here, restructure these to not bother with mkdir(1) if we've
already tested them to exist.

MFC after: 3 days