Fedora Server 37 CA certificate store most equivalent to LocalMachine\root

Fedora Server 37 CA certificate store most equivalent to LocalMachine\root in a Windows environment?

Background notes: I have plenty of experience in the Windows area for certificate management, but Fedora Server is a bit of a new beast. I am learning the nuances of such experiences as certutil as I recently setup and managed to get working (through sheer force of will and determination, many sealert and ldap/sssd google search related sleepless nights, literally) an ldap based login mechanism. I would now like to make sure that I actually installed things where they need to go, so I am looking to make sure I put the certificates where they belong.

In the interest of proper-long tail, I would like to add a separate question for each of LocalMachine\my and LocalMachine\root, LocalMachine\ca type stores, but we can list the equivalencies here as well.

Target goal:

1. I have acquired a LetsEncrypt certificate. As it renews, I would like to update that certificate as required into the appropriate folder to ensure that my signing chaing remains up to date for the services I am using, and would like to use the most centralized system location that I can.
2. I would like to avoid having to manually define where to find files in each service's configuration file, instead allowing the built in chain structure to automatically find the required certificates in the expected default locations.
   1. This assumes that all software built for this distro expects to find the certs in the same common folders. A stretch of the imagination, I know.
   2. Alternately, I would like to use the same location for every certificate configuration instead of using app-specific folders.
3. I would like to have users that need to reference the public files from Let's Encrypt also have access to the same public certificates.
4. Remove custom configuration in /etc/openldap/ldap.conf, /etc/sssd/sssd.conf, etc that may require the common certificates
5. Avoid having to use certutil to copy files to local application certificate databases where possible.

Given:

• Fedora Server 37
• LetsEncrypt certificate collection in /etc/letsencrypt/live//
• Configured /etc/openldap/ldap.conf
  • Presumably outside the scope of this question, I will create a new post once I get this post correctly configured
• Configured /etc/sssd/sssd.conf
  • Presumably outside the scope of this question, I will create a new post once I get this post correctly configured

I think that what I want is to put the following files in the following folders:

• /etc/letsencrypt/live//chain.cert
  • Equivalent on Windows: LocalMachine\TrustRoot (Intermediate Certification Authorities)
  • copy to /etc/pki/CA/certs
• /etc/letsencrypt/live//fullchain.cert
  • Equivalent on Windows: LocalMachine\Root (Trusted Root Certification Authorities)
  • Because this is Let's Encrypt, it appears that the Fedora Server 37 distro already has the root IG_Root_X1.pem that I need here
  • copy to /etc/pki/ca-trust/source/anchors/
  • copy to /usr/share/pki/ca-trust-source/anchors/
  • run update_ca_trust extract to allow it to extract both sets of certificates into the appropriate stores
• restorecon some magic string here

Questions:

1. Have I made the correct assumptions above?
2. Do I need to add any commands after copying any of the files to the above locations?
3. What restorecon command do I need to run after copying files or running update_ca_trust?
4. Should symlinking in appropriate locations likely be enough once I do this for any apps that demand the cert be placed in an alternate location, or will I probably have to fall back to certutil into the appropriate folder?