We currently support disabling SSL certificate verification, but we don't properly support actually verifiying them. This fixing this issue will require adding a module to Ohai to find where a useful set of root ssl certificate authority data lives, so we can then use it when we call Net::HTTP.
At which point something like:
http.ca_path = /etc/ssl/certs
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
http.verify_depth = 5
Should do the trick nicely.