Finally I found the issue now…
It was caused by a setting I had modified. I disabled “Automatic Root Certificates Update” (link 2) which is a technology of Windows to fetch missing root certificates from the Windows update servers to import them into the root certificate store.
This “root certificate lookup” is done when a website sends a not trusted certificate when it is visited. And IdenTrusts root cert seems to be part of this root certs which are not included by Windows “natively”. After re-enabling this option the connection was successfully established and I could find the DST Root CA X3
in the trust store.
More information in this (quite old) article of a German magazine (english translation). I could not find a nice English article about this now, sorry.
Issue fixed. (at least I know the cause)