Installing "our" certificates is not an option with Let's Encrypt as those certificates expire after three months or we switch to a very short release cycle :). Or we just disable certificate verification in the UpdateChecker plugin :).
More seriously, I got your point. Ideally, Windows would provide the necessary CA certificates or `libsoup` would be able to access them (I'm not completely sure what's the real culprit here). But since isn't the case, I think re-distributing the available set of CA certificates bundled by MSYS and updating them with our releases, should be a good compromise.