Use update-ca-trust! Or update-ca-certificates.

Don’t just append the /etc/ssl/certs/ca-certificates.crt or the /etc/ssl/certs/ca-bundle.crt.

Not long ago, I thought that it didn’t matter. I figured since the update-ca-trust command just updated the bundle, I might as well skip a step and go directly. I was wrong. Don’t do it. I guess that’s why people actually have processes and directions to follow.

The reason why you want to put the certificate issuers in /etc/pki/ca-trust/source/anchors/ or /etc/ssl/certs/ and use the update-ca-trust enable/extract commands is so that it can survive an update. If someone decides to patch the machine and there are other certificates being updated, the one that you appended to the bundle will get deleted.

Follow the process! For me, that’s basically:

cp <filename>.pem /etc/pki/ca-trust/source/anchors/
cp <filename>.crt /etc/pki/ca-trust/source/anchors/
update-ca-trust force-enable
update-ca-trust extra