only CAs specified in a P1 should be written out to cacerts
Currently all CA certs are written out to ipsec.d/cacerts/ where that should only be CAs specified on a P1 in the configuration.
Limit strongswan trusted CA certificates to those required for authentication of
the configured IPsec SA's instead of trusting all known CA's. Fixes #5243.