Once pkix.useDefaultTrustAnchors is set as true, the gateway will trust the well-known public certificate authorities.
The trusted anchors are from the java, gateway doesn't maintain the list.
Here is the command to list all the trusted anchors, (save to /home/ssgconfig/calist file)
/opt/SecureSpan/JDK/bin/keytool -list -v -keystore /opt/SecureSpan/JDK/jre/lib/security/cacerts >/home/ssgconfig/calist
For those certificates not signed by the issuers in the list, will need to be imported to gateway manually to be trusted.