I'm not the best person to answer this, but I'll give it a shot.  The certificates file contains the public certificates required to make a secure connection.  The built-in one Roku supplies has most of the certificates you'd need to connect securely to most sites.  If you can connect to https://whatever.com then it's working.

When you'd need to specify a different certificates file is when you want to provide your own public certificate.  I've done this for my own self-signed certificate to connect to my server securely.

I can't find it, but @belltown had a good explanation of all this way back when.

Thank @renojim.

Just wanted to be sure. Does it take care of two way ssl handshake internally?

Whenever server sends the authentication challenge to the client, does client cancels the request if it fails to verify the server trust. i.e if the server certificates are not matched to the certificates provided by us.

I am unable to figure out this functionality as nowhere it is mentioned about the same

It will fail if everything doesn't check out.  You can use EnablePeerVerification(false) and/or EnableHostVerification(false) to bypass the checks, but my thought is that if you have to use either of them then something isn't right.