Entrust have issued a root certificate that's not marked as valid for
signing certificates.

This results in Go programs failing to validate certificates that
chain up to this root (i.e. gateway.push.apple.com:2195).

Although this is clearly a mistake on Entrust's part, it seems that we
will have to bodge around it.

R=golang-dev, dave, r
CC=golang-dev
https://golang.org/cl/6346064