RELEASE BLOCKER: Add special case handling of cert with negative serial number

[SgtCoDFish]

See also slack.

Go 1.23 changes ParseCertificate to no longer accept negative serial numbers (in line with specs).

This breaks the trust package we provide which contains an older CA with a negative serial number in it.

As a special case for just this one cert, we handle the error and skip including the cert rather than failing the entire bundle because of this cert.

This also adds tests for the behavior of the new compat.ParseCertificate function, both with the GODEBUG workaround set and unset.

Users who need to trust this CA will for the foreseeable future still be able to include it by setting the GODEBUG environment variable when running trust-manager.

[cert-manager-prow]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from sgtcodfish. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[cert-manager-prow]

@SgtCoDFish: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
pull-trust-manager-smoke	fc17604	link	true	/test pull-trust-manager-smoke

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.