A better solution for verifying certificate chains with NSS 3.12.3. Instead of allowing weak certificate algorithms all over the place, which is what the NSS flag we are enabling, short-circuit a verification a step early if the fingerprint of the last-checked certificate matches its signer's certificate (retrieved from the trusted CA pool). Closes #9360.