Do not use cert_pi_useAIACertFetch by default. Use it only
when we are likely to be missing intermediate CA certificates.
Work around the SEC_ERROR_POLICY_VALIDATION_FAILED error from
CERT_PKIXVerifyCert by retrying CERT_PKIXVerifyCert with the
certificate policy in the certificate.
Map SEC_ERROR_POLICY_VALIDATION_FAILED to ERR_CERT_INVALID
if we can't work around the error.
Start the migration away from test_certificate_data.h to the
certificate files in the src/net/data/ssl/certificates
TEST=A new unit test. To verify the fix for issue 31497
manually, must install the "DoD Root CA 2" certificate first
(see comment 9 of bug 31497).