Consider removing Subject Key Identifier from end-entity certificates

[aarongable]

Per the BRs, Section 7.1.2.7.6, the Subject Key Identifier extension is NOT RECOMMENDED for end-entity Subscriber certificates.

This is because the SKID is mostly useful for path-building. It's important for it to exist in issuer certificates, so that it can be matched to the AKID of certs that they issue. But no one is building a path up to an end-entity certificate, so in those the SKID is simply consuming bytes with no real purpose.