The "ssl-ca-location" setting:
If set, this will override the OS default list of OpenSSL CAs. If unset, the default list will be used. Some platforms may add additional certificates. Checking your platform behaviour is required if the exact contents of the CA root is critical for your application.
This setting is overridden by environment variables SSL_CERT_FILE and SSL_CERT_DIR.