Allow Puppet::HTTP::Client to connect to server trusted by the system trust store using the puppet certificate for client authentification

On instantiation, a Puppet::HTTP::Client use a Puppet::SSL::Context to verify secure connections to remote hosts.  The Puppet::SSL::Provider provide convenience methods to build SSL Contexts:

1. create_insecure_context: An insecure SSL Context, allowing connections to any host without verification and not allowing client certificate authentication;
2. create_root_context: A basic SSL Context trusting the passed certificates and that does not allow client certificate authentication;
3. create_system_context: A basic SSL Context trusting system certificates but not checking CRL (because they do not exist) and not allowing client certificate authentication;
4. create_context: A SSL Context suitable for communication with puppet trusting only the puppet CA, checking CRL and using client certificate authentication.

None of these SSL Context allow to download files served by a server using certificates signed by a trusted third-party (system store) but with client certificate authentication.  We use this scheme to distribute files to our puppet nodes from servers which use standard TLS certificates provided by Let's Encrypt: the certificate is trusted in the system store, but we also require a client certificate signed by our Puppet CA for the client to download files (our rationale is we want to use "standard" certificates to allow access to the files with either login+password or a trusted client certificate, and the code being used by Bolt, it is convenient to rely on Puppet::HTTP::Client to download these files).

This issue is about making it possible for the base Puppet HTTP Client to generate a SSL Context suitable for this kind of usages:

1. Verify remote host against system trusted CA;
2. Do not enforce CRL check because there is none for the system trust store;
3. Authenticate using puppet node certificate.