Heads up gnutls appears to be slightly more strict on what is considers to be a CA certificate.
Using the cert.pem generated by this script there are a few certs which cause a warning to be displayed by gnutls:
$ gnutls-cli google.com
|<1>| There was a non-CA certificate in the trusted list: CN=com.apple.systemdefault,O=System Identity.
|<1>| There was a non-CA certificate in the trusted list: CN=com.apple.kerberos.kdc,O=System Identity.
...
Processed 173 CA certificate(s).
Resolving 'google.com:443'...
Connecting to '2a00:1450:4009:80b::200e:443'...
- Certificate type: X.509
As reported in #23: