Add info whether the native cert is builtin or user/admin installed

[est31]

It would be helpful to know if a certificate has been shipped by the OS, or was installed by the user or the administrator. This unlocks two use cases:

• ignore the certificates from the first category and use a different root store as the basis, like the ones from the webpki-roots crate.
• impose special requirements on the OS builtin certificates. Chrome does this for example, e.g. by limiting how long a certificate can be valid. Another requirement might be a check for an SCT.

In Chromium, this check is implemented via a is_known_root field on the verification result. The value is populated from the respective OS backends.