[alias_neo]

> so storing a full set of CA certs was quite limiting

Not sure what your project was doing, but one doesn't generally want to install a full set of CAs. If you're creating a product that'll talk to your APIs you pin your own CA, ensure that the server name matches and verify it, anything else is a failure.

[8organicbits]

If you use an API endpoint provided by a cloud service provider then you use whichever CA they use, which will be a public CA. But they can switch to another at any time.