It looks like the old way of providing libgit2 with certificate locations doesn't work without OpenSSL #499.

After a little bit of research, I think that
git_transport_certificate_check_cb (part of git_remote_callbacks) needs to be exposed somehow so that applications can provide custom server trust validation. This may be essential for sandboxed apps if the new SecureTransport support in libgit2 doesn't already tap into the root CA certs.

This callback was added in libgit2 0.22

Update: This callback appears to be unnecessary for normal certificate validation. It's only needed for providing a custom cert.