Our certificate code is generally designed around no two CA certificates having the same DN. Unfortunately this breaks when have multiple distinct intermediate certificates with the same DN, such as when we want to validate against MSN intermediate CAs. This change allows us to verify against any one of multiple CA certificates with the same DN, instead of relying on a) luck from reading from disk in the "right" order or b) black magic from NSS reconstructing a valid chain on connection attempts after CA pool initialization is complete.