Package rootcerts contains functions to aid in loading CA certificates for TLS connections.
In addition, its default behavior on Darwin works around an open issue  in Go's crypto/x509 that prevents certicates from being loaded from the System or Login keychains.
ConfigureTLS sets up the RootCAs on the provided tls.Config based on the Config specified.
LoadCACerts loads a CertPool based on the Config specified.
LoadCAFile loads a single PEM-encoded file from the path specified.
LoadCAPath walks the provided path and loads all certificates encounted into a pool.
LoadSystemCAs does nothing on non-Darwin systems. We return nil so that default behavior of standard TLS config libraries is triggered, which is to load system certs.
Config determines where LoadCACerts will load certificates from. When both CAFile and CAPath are blank, this library's functions will either load system roots explicitly and return them, or set the CertPool to nil to allow Go's standard library to load system certs.