There is no test case where rejectUnauthorized, the option for https.request or tls.connect, is true.
It's set true by default. So, by default, the server certificate needs to be verified using built-in CAs (if they exist). Its verification with a custom CA (given as an option) is also needed.

Currently no method for finding system CAs is implemented in the tls module.