Change order of CA certs when searching for CA for a node certificate

When loading a node certificate, we are searching for a CA that matches that node cert. Then we memorize that CA cert for that node cert, and don't allow removal of that CA cert.
Currently we assume that only one CA in the list of trusted CAs can match given node cert, but actually that's incorrect because different CAs can be created using the same private key.
Since currently we sort CAs by id, we always attach the oldest CA cert to the node cert being added which leads to the fact that it is impossible to update a CA cert if CA private key does not change.
I think we should reverse the order of the CA certificates when we search the right CA. In this case we will always start from the latest added certificate in the list.