Currently, policy-provided client certificates(*) are imported into NSS (see CertificateImporterImpl).

This has three consequences:
(1) the key material is imported onto the private slot 
(2) when the policy stops providing them, they remain in NSS
(3) dependency on NSS.

Tasks:
- Investigate if (1) is something people expect (after the key material was just sent in clear text in policy)
- Investigate if (2) is something people rely on
- If no one expects (1), see if it would be possible to provide policy-provided client certs in a mechanism similar to extension-provided client certs.

Main goal: Simplification / avoiding dependency on NSS.

(*) Note that I've recently learned that some EMMs indeed serve client certs through enterprise policy, so we can't drop support.