Use new key flags to check for certify capability
In this case, the old flag would also work because the checks are only
done for OpenPGP certificates where the primary subkey always has the
certify capability, but it's better to be consistent.
- GnuPG-bug-id: T6753