https://bugs.openldap.org/show_bug.cgi?id=10149
Looks a bit like a chicken'n'egg situation, why should anyone trust the connection that was used to
retrieve certs and keys from the designated URI?
Not at all.
We’re referring to URIs known to crypto libraries, such as pkcs11 URLs (for smartcard interfaces) and tpmkey URIs for TPM chips.
By default OpenSSL always supports the file:// URI, which points at PEM encoded certs/keys/crls/params/etc.
Other URIs might point at the MacOS keychain, or the Windows crypto api. It’s up to the crypto library.