The server will be making providing an explicit CA optional, and default on the system provided (OpenSSL) defaults.
We do the same as of
CDRIVER-1142, but OpenSSL doesn't ship with default certificates and it appears rare that people explicitly fetch the Mozilla bundle or other bundles.
We can, and should, trust the Windows cert store for this.
When no explicit CA option is provided (mongoc_ssl_opt_t.ca_file and .ca_dir) we should extract the CAs from the Windows cert store and load them into OpenSSL.
Even though we'll support Windows native Secure Channel, I think we should still do this for those resisting and continue to use OpenSSL on Windows.