Add test to check that certificate chain behaviour is as expected
In #3202 (closed) we were blocked by the change in behaviour of the Go standard library and how it expanded certificate chains between 1.8.7 and 1.9 and beyond. Once that behaviour is fixed, which !1581 (merged) looks like it should, we should also add a test that checks that changes to our runtime or dependencies don't again break our ability to unroll the certificate chain.