If set, this will override the OS default list of OpenSSL CAs. If unset, the default list will be used. Some platforms may add additional certificates. Checking your platform behaviour is required if the exact contents of the CA root is critical for your application.