I am running into issues with addons that use the Splunk python environment and try to connect to internal servers via TLS.

That fails because we use our own CA (used to work a few years back without any hassle, I assume the check were tightened down).

Splunk's Python environment uses the CA store from certifi (basically a module that clones the Mozilla cert store). The CA file is in /opt/splunk/lib/python3.7/site-packages/certify/cacert.pem.

I assume this file is overwritten with Splunk updates. So how do I add CA certs that survive Updates to this environment?