Based on a discussion with sysprg, the SST script changes from MDEV-26360 allow users to configure a CA directory by setting ssl_ca, like this:

[mariadb]

...

wsrep_ssl_mode = SERVER_X509

ssl_ca = /certs/ca-cert/

ssl_cert = /certs/server-cert.pem

ssl_key = /certs/server-key.pem

This implementation is likely to result in problems. ssl_ca is a system variable owned by MariaDB Server. MariaDB Server expects the ssl_ca system variable to refer to an absolute path to a single PEM file:

ssl_ca
Description: Defines a path to a PEM file that should contain one or more X509 certificates for trusted Certificate Authorities (CAs) to use for TLS. This system variable requires that you use the absolute path, not a relative path. This system variable implies the ssl option.

https://mariadb.com/kb/en/ssltls-system-variables/#ssl_ca

If a Galera user tries to set the ssl_ca system variable to a path to a directory, MariaDB Server is likely to encounter an error during startup when it tries to treat the value as a path to a PEM file.

However, there is an easy solution. MariaDB Server provides the ssl_capath system variable to refer to a directory:

ssl_capath
Description: Defines a path to a directory that contains one or more PEM files that should each contain one X509 certificate for a trusted Certificate Authority (CA) to use for TLS. This system variable requires that you use the absolute path, not a relative path. The directory specified by this variable needs to be run through the openssl rehash command. This system variable implies the ssl option.

https://mariadb.com/kb/en/ssltls-system-variables/#ssl_capath

If we would like Galera users to be able to specify a path to a directory of CA certificates, we should probably use ssl_capath for this--not ssl_ca.