It seems just creating a directory and putting *.pem files into it will not be enough.
The certificates need to have a specific file name to be able for tcltls to use the certificates in the specified directory to pick them up for verification.
when the user wants to add own certificate he has to run the c_rehash command.
For users without openssl installed, especially on Windows, this may be much more complicated than just opening a text editor to add their custom *pem file from the server.
Sander, what do you think about that, I'd say we should stick to the cafile stuff instead of using a directory.