It is indeed an overly complicated and frustrating setup. I've found some helpful information in the Redhat man page for update-ca-trust which describes the details.

Here's the Linux.org version of the man page: update-ca-trust(8)

But you may want to consult the version of that man page which comes with the particular distro/version of Linux you are using, as there might be differences.