i think this needs three bits:
- something like a system service that imports certificates from a pre-defined dir (which the service watches with inotify for changes) should be shipped in the core snap…
- that directory only snapd should be able to write to …
- an interface that allows snaps to trigger an import of a shipped cert into that dir is provided by snapd