Add GlobalSign Root CA - R3 cert and remove outdated certs

[sonalkr132]

root CA of rubygems.org (and all subdomains) was updated from GlobalSign Organization Validation CA - SHA256 - G2 to GlobalSign Root CA - R3.
GlobalSignRootCA.pem was previously used to verify server cert if system certs could not verify rubygems.org cert.

What was the end-user or developer problem that led to this PR?

Fixes when rubygem.org cert could not be verified by using system certs:

SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate)                                          

closes: #4099

What is your fix for the problem, implemented in this PR?

add GlobalSign R3 CA cert. used here to configure remove fetcher.

Make sure the following tasks are checked

• Describe the problem / feature
• Write tests for features and bug fixes
• Write code to solve the problem
• Make sure you follow the current code style and write meaningful commit messages without tags

[hsbt]

@sonalkr132 Thanks! I will backport this to RG 2.7, 3.0 and 3.1.

[sonalkr132]

Thanks. Perhaps we should wait until @dwradcliffe confirms the removal of the old cert.
AddTrustExternalCARoot.pem was expired so it is fine to remove that. DigiCertHighAssuranceEVRootCA.pem is for cloudfront and I am positively sure that we don't have any CloudFront endpoints, however, a confirmation would be nice. It was added more than seven years ago.

[hsbt]

Ah, OK. I'm waiting to release the new versions of rubygems until approval from @dwradcliffe .

[indirect]

I can confirm that we previously used CloudFront as the S3 CDN, and we now use Fastly instead. It is ok to remove DigiCertHighAssuranceEVRootCA.pem. 👍🏻

[dwradcliffe]

I think there was still a cloudfront domain setup for legacy clients buts it’s probably time to stop supporting that.
👍🏻