And I think I remember to have read something like this that it might only be updated/solved soon ™ with 4.3 …
But for our J1s we need updated ca-certificates as well and I would like to see @Jolla to support their baby at least with up-to-date certificates. No more no less.
Or we go by hand manipulation or offer this by ourselves on openrepos?
Support from Jolla is unlikely not going to happen.
Community-built packages should be no problem though, over openrepos, chum, OBS or another way.
@nephros why you expect support from Jolla for Jolla phone. They finished supporting this phone after 7 years. Which is a lot in mobile world.
Oh, it was me! 
And not ‘expecting’ them to do so (absolutely I do not expect them).
Just requesting to at least support such fundamental security critical update. Which should not be that much of work/overhead to push a newer ca-certificate package on the J1 3.4 repo, or?
Do you remember the PR1.3.1 update?
pkcon search ca-cert
ca-certificates-2018.2.26-1.4.1.jolla.noarch (installed) The Mozilla CA root certificate bundle
Actually I guess a proper community port/release fot the J1 would be the best solution.
But who will step up?
Thank you @peterleinchen for the correct basic assessment and almost the right implementation (you patch the source bundle, not the target one).
After some more research I created a more generic guide how to handle this properly:
Wow, thank you!
Another really well-written, detailed and knowledged guide by @olf.
I am not that deep into that cert stuff, normally do not need it and always forced to dig into it when something happens.
So I did not dare to look for the cert to put it into the blacklist (as it was not in pem format in the bundle).
One noob question I do have: why is my approach only almost? 
I used the source bundle and ran update-ca-trust.
What is “wrong” with that?