When are you encountering this issue? when trying to bootstrap? I had a similar problem to this due to our internal PKI not being publicly signed when trying install ruby gems, I took a copy of that cacerts.pem file and added it to my base cookbook as a template so it gets applied to all my nodes. All of the root certs in this file will outlive most of my servers but a huge amount of time so I just update my template as new versions of the chef-client are updated.
Alternately if you don't want to do that you could put your certs in a file and then append them to the end of that cacert.pem file using echo cert.file >> /opt/chef/embedded/ssl/certs/cacerts.pem
Thanks Larry, Thats what I ended up doing. A lot of trial and error to get to that. I was hoping that chef would see them in the trusted ca list so I could create my servers with the certs before chef was installed. If I have to count on the cacerts.pem in the chef location I have to bootstrap using --node-ssl-verify-mode none.
**Temporary Fix:** If I copy the certs from that location to /opt/chef/embedded/ssl/certs and rename it to cacerts.pem everything works.
**Problem:** This is not something I can do for every node I want to bootstrap. This would be a manual process. How can I get chef to import the right certs? Is there some where on the chef server I can put these certs that the node can grab it from?