I don't get the issue with serial numbers. For the browser, it's a completely opaque random number - it doesn't matter what it is and how it changes.
Is the issue here that they're talking about CA collisions and need the "authority key identifier" extension to match? This shouldn't matter when colliding with service certificates.
Is the issue here that they're talking about CA collisions and need the "authority key identifier" extension to match? This shouldn't matter when colliding with service certificates.