Revised:
The tools need to support CAs in system certificate stores. Specifically, the following Evergreen tasks that passed using OpenSSL-based tools need to pass using the Go driver:

• native-cert-ssl on Mac
• native-cert-ssl on Windows

Go 1.12 (and 1.11.6) claim to have fixed the Mac issue, so when that toolchain is available we can test against it.

For Windows, it doesn't look like Go has fixed it upstream, so we need to find an alternate way of getting the system CAs. That could be something like the go-openssl wrapper system_certs.c code, or, perhaps preferably, something using Go's syscall library or sys/x/windows.

Original

The mongodb tools currently have the ability on Windows and Mac to authenticate a server against a CA installed in the system certificate store. This is achieved via the go-openssl wrapper which loads Windows/Mac system CAs into an openssl X509 store. See this code called via this code.

The Go driver needs to implement some equivalent functionality or the tools can't use the Go driver for TLS support.

For Mac, there seems to be support already for system CAs, but with some outstanding bugs, e.g. go#24652.

For Windows, this might be addressed in Go 1.12 – see go#16736 or we might need to do the equivalent ourselves if the patch doesn't get merged in time.

Another option for Windows might be to implement schannels support. I've seen a package claiming support, alexbrainman/sspi, but have no idea how functional/usable it is.