separate CA cert bundles from workload RSA PSS pubkeys

[michaeldye]

The packaging puts the RSA PSS pubkeys in the same directory as the CA cert bundles, both of which are PEM-encoded. Since anax reads any found pubkeys from a directory, it must regularly handle the soft failure of reading a non-pubkey and ignoring it (which it does properly). To make this cleaner, we can separate the two different kinds of files. I propose the following directory structure:

/etc/horizon/trust/keys : contains RSA PSS workload-checking pubkeys
/etc/horizon/trust/certs : contains x509 CA certs for web downloads and other SSL connections