Put TLD CA's public key in its Subject Serial Number #67
Description
It looks like Windows CryptoAPI sometimes doesn't refetch certificates over AIA if it already has cached a cert with the same Subject (even if it's been told of an AIA URL for that Subject that it hasn't yet tried to retrieve). This causes issues when the TLD CA is regenerated on Encaya reboot (or Encaya reinstall). We should be able to mitigate this by putting the public key in the Subject Serial Number, just like we do with the AIA Parent Domain CA certs.