Generated serialNumber in selfSign.go is not compliant with baseline requirements

[ctrufan]

The serialNumber generated in the selfSign.go file is generated using a bound of a 64 bit integer - however, the go implementation of rand means that functionally the value is being generated as a positive number with essentially 63 bits of output from the CSPRNG. rand.Int(rand.Reader, new(big.Int).SetInt64(math.MaxInt64))

The CA/Browser Forum baseline requirements (as of Ballot 164, 2016-09-30) specify

Effective September 30, 2016, CAs SHALL generate non-sequential Certificate serial numbers greater than zero (0) containing at least 64 bits of output from a CSPRNG.

Presumably selfsign.go isn't being used in any production environments (and arguably isn't a cert "issued by a CA" due to the self-signed nature), but if it's used in any context that results in issuing a cert with a serial number based off the output of selfsign.go (or if the software was ever used for a root?), the resulting certificate would not be baseline compliant.

(I realize semantic arguments could be made that this is actually compliant, but there's active discussion on mozilla.dev.security.policy mailing list that involved statements that this exact behavior is not compliant)