Appending the Certificate Authority (CA)
Append additional certificate authorities to the system’s trusted certificate store by patching the machine configuration with the following document:STATE partition is encrypted, the CA certificates will be only be loaded after the partition is unlocked.
So the encryption method should allow unlocking the partition without the need for a CA certificate.