Use validate_cmd to validate a CA before writing

[ekohl]

This uses the built in validation of input. If the content is invalid, it is never written to the desired location. To make it easier, it first removes the almost duplicate branches.

Perhaps this also fixes the failed chaining of notifications that plagues Debian 11.

[ekohl]

So this doesn't appear to resolve #85, even though I'd expect it to. It's calling the right exec:

  Notice: /Stage[main]/Main/Trusted_ca::Ca[test]/File[/usr/local/share/ca-certificates/test.crt]/ensure: defined content as '{sha256}93863a10f8b1629bbc46eb31a7af0f5c3cda37e45162c86282d34c37e9d3108c'
  Info: /Stage[main]/Main/Trusted_ca::Ca[test]/File[/usr/local/share/ca-certificates/test.crt]: Scheduling refresh of Exec[update_system_certs]
  Notice: /Stage[main]/Trusted_ca/Exec[update_system_certs]: Triggered 'refresh' from 1 event
  Notice: Applied catalog in 1.21 seconds