Allow spin to trust system root CA

[rajsite]

When I run spin on my IT-managed Windows machine I get the following error from a JCO-based WASM component that makes an outbound HTTP request:

[spin-local-start] 2026-03-05T22:23:00.603340Z  WARN spin_factor_outbound_http::wasi: tls protocol error: Custom { kind: InvalidData, error: InvalidCertificate(UnknownIssuer) }
[spin-local-start] (new TypeError("NetworkError when attempting to fetch resource", ""))

My hunch is that the IT configuration requires using the system root CA for HTTP requests where I saw similar issues in Servo that were addressed by using rustls-platform-verifier in: servo/servo#40935

If you still see a bug or problem, please let us know:

• Spin version (spin --version)

  spin 3.6.2 (c0fc970 2026-02-25)
  

• Installed plugin versions (spin plugins list --installed)

  No plugins found
  

[rajsite]

Made a rough prototype enabling rustls-platform-verifier (mostly mimicking the servo PR and with a bunch of AI help, still pretty new to Rust 😅) and with the workflow artifact I'm able to run my simple JCO fetch WASM component so feeling confident that needing to trust the system root CA is the issue.

[dicej]

Looks like crates/factor-outbound-networking/src/tls.rs wants to use webpki-roots rather than the system certs, perhaps for consistent behavior across platforms; I don't know for sure. Seems reasonable to at least add an option to use the system certs instead.

[itowlson]

cc @lann for being the last person to touch that file (although I imagine there is prior history)

[itowlson]

The reported design motivation is, quote, "uhh it was probably just easier with rustls?" grin

@rajsite If your prototype / candidate fix is in a working state then do feel free to PR it - if nothing else we may be able to offer feedback, or pick it up and run with it if you don't have bandwidth - thanks!

[rajsite]

Created the following PR! #3426