For information
https://utcc.utoronto.ca/~cks/space/blog/linux/CARootStoreTrustProblem
This has already been taken into account in CU172 Testing. See the announcement.
https://blog.ipfire.org/post/ipfire-2-27-core-update-172-is-available-for-testing#miscellaneous
The patch to implement this takes account of the expiry date question raised in the article.
https://lists.ipfire.org/pipermail/development/2022-December/014909.html
So with CU172 onwards IPFire users will not be using the TrustCor Systems root CA’s