use /etc/pki/ca-trust/source/anchors as cert_dir on modern RHEL?

[aaronenberg]

I noticed that cert_dir always gets certs joined onto it. However, /etc/pki/ca-trust/extracted is a dynamically created directory generated by the update-ca-trust script and the pem subdirectory is just one of the many created by this script that stores PEM bundles. None of them have a certs subdirectory AFAIA.

I think the probe will find the legacy /etc/pki/tls/certs right after and sets cert_dir to that.

Can this directory and possibly others like it be separated from the directories that do have a certs subdirectory?

[aaronenberg]

To add onto this, the appropriate cert_dir replacement on these modern RHEL systems I believe is /etc/pki/ca-trust/source/anchors for "simple trust anchors". This would be yet another list of cert_dirs that do not have a certs subdirectory but unlike /etc/pki/ca-trust/extracted it is an actual cert_dir