Require Certificate Transparency for Symantec-operated roots

net/data/ssl/certificates/README

 This directory contains various certificates for use with SSL-related
 unit tests.
 
 ===== Real-world certificates that need manual updating
 - google.binary.p7b
 - google.chain.pem
 - google.pem_cert.p7b
 - google.pem_pkcs7.p7b
 - google.pkcs7.p7b
 - google.single.der
@@ skipping 148 matching lines @@
 - pre_br_validity_bad_2020.pem
 - pre_br_validity_ok.pem
 - start_after_expiry.pem
     Certs to test that the maximum validity durations set by the CA/Browser
     Forum Baseline Requirements are enforced.
 
 - reject_intranet_hosts.pem
    A certificate with a non-IANA delegated domain, which is rejected since a CA
    cannot validate the applicant controls that domain.
 
+- pre_june_2016.pem
+- post_june_2016.pem
+   Certs to test that policies related to enforcing CT on Symantec are
+   properly gated on the issuance date.
+
 ===== From net/data/ssl/scripts/generate-weak-test-chains.sh
 - 2048-rsa-root.pem
 - {768-rsa,1024-rsa,2048-rsa,prime256v1-ecdsa}-intermediate.pem
 - {768-rsa,1024-rsa,2048-rsa,prime256v1-ecdsa}-ee-by-
       {768-rsa,1024-rsa,2048-rsa,prime256v1-ecdsa}-intermediate.pem
       Test certificates used to ensure that weak keys are detected and rejected
 
 ===== From net/data/ssl/scripts/generate-cross-signed-certs.sh
 - cross-signed-leaf.pem
 - cross-signed-root-md5.pem
@@ skipping 99 matching lines @@
      aia-cert.pem has a caIssuers that points to "aia-test.invalid" as the URL
      containing the intermediate, which can be served via a URLRequestFilter.
      aia-intermediate.der is stored in DER form for convenience, since that is
      the form expected of certificates discovered via AIA.
 
 ===== From net/data/ssl/scripts/generate-self-signed-certs.sh
  - self-signed-invalid-name.pem
  - self-signed-invalid-sig.pem
      Two "self-signed" certificates with mismatched names or an invalid
      signature, respectively.