Add TunTrust Root CA root certificate

TunTrust is operated by ANCE (Agence Nationale de Certification Electronique), Tunisia's national CA. The inclusion request was filed in October 2019, supported by WebTrust point-in-time and period-of-time audit reports, plus a KGC audit. Two root certificates were submitted; only the second (serial 1302D5E2..., valid 2019–2044, RSA 4096) was requested for inclusion, as the first incorrectly included the digitalSignature key usage bit. The PKI hierarchy consists of TunTrust Root CA (offline), TunTrust Services CA (OV TLS, name-constrained to .tn), and TunTrust Qualified CA (non-TLS, S/MIME and smartcard). Ben Wilson conducted the CP/CPS review against MRSP and BR requirements in November 2020, identifying gaps in CAA placement (§4.2), MFA language (§4.3.1), revocation reasons (missing Debian weak key), CN/SAN alignment, and Mozilla key compromise notification (§5.7.3). TunTrust addressed all findings in CP/CPS v4.5 (December 2020). Public discussion ran from April 7 to April 30, 2021, with TunTrust responding to community questions and submitting a CA value justification document per Mozilla's quantifying value framework. Ben Wilson summarized the discussion and declared intent to approve, opening a 7-day last-call period. Kathleen Wilson approved inclusion on August 24, 2021, for Websites trust bit only, no EV. The root was included in NSS 3.71 and Firefox 94

1. 2019-10-10 Initial request for root inclusion submitted.
2. 2021-08-31 Request approved by Mozilla.