From https://developer.apple.com/documentation/usernotifications/setting_up_a_remote_notification_server

Establish a Trusted Connection to APNs
Communication between your provider server and APNs must take place over a secure connection. Creating that connection requires installing the GeoTrust Global CA root certificate (until March 29, 2021) and the AAA Certificate Services root certificate (starting March 29, 2021) on each of your provider servers.

If your provider server runs macOS, the GeoTrust Global CA root certificate is in the keychain by default. If your provider server runs macOS 10.14 or later, the AAA Certificate Services root certificate is in the keychain by default. On other systems, you might need to install this certificate yourself. You can download the GeoTrust Global CA root certificate from the GeoTrust Root Certificates website. You can download the “AAACertificateServices 5/12/2020” certificate from the Sectigo KnowledgeBase website.

(developer.apple.com has the official download links)

https://stackoverflow.com/questions/40051213/where-is-golang-picking-up-root-cas-from

For example, on linux

// Copyright 2015 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.

package x509

// Possible certificate files; stop after finding one.
var certFiles = []string{
    "/etc/ssl/certs/ca-certificates.crt",                // Debian/Ubuntu/Gentoo etc.
    "/etc/pki/tls/certs/ca-bundle.crt",                  // Fedora/RHEL 6
    "/etc/ssl/ca-bundle.pem",                            // OpenSUSE
    "/etc/pki/tls/cacert.pem",                           // OpenELEC
    "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem", // CentOS/RHEL 7
    "/etc/ssl/cert.pem",                                 // Alpine Linux
}

In cases where it is not possible to update the certificate store, look into whether it'd be viable to include those certificate stores manually, e.g. as a CLI flag to add to the OS's certificate store