Exfiltrate cert code from DevicePolicyManager

The intent is for this not to cause any behaviour changes, just to
make it easier to see what is going on with the code.

Permissions are checked in DevicePolicyManagerService. All calls to
CertificateMonitor are privileged.

Test: runtest -x frameworks/base/services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerTest.java
Test: cts-tradefed run cts-dev --module CtsDevicePolicyManagerTestCases
Change-Id: I98224087315a62234732f08b53fe91884be86386