Implement a protocol call to get the rootCA from SCM

Right now on client side (OM/Datanode/Recon) it's only possible to get the root CA certificate during startup/init phase. When the root CA certificate is rotated it's necessary to provide some form of protocol/communication channel where the clients can get the new root CA certificate on demand.

This might also include rethinking the protocols regarding CAs in general because currently the system doesn't distinguish between root and sub CAs and might provide root CAs when asking for only sub CAs. There might be other bugs as well.