Why can't they just release that certificate for everyone to install on all affected non-recent and derivative builds (like Tor Browser)? Or is the internal certificate storage different from the one that is configurable in settings? Then tell us straight away what file to change, and the community (everyone likes to mention so much) comes up with the ways to patch it much faster than you think.