We are unable to use Cargo because our IT department intercepts all HTTPS traffic and replaces the certificates. I need to add the corporate root CA to Cargo's list of trusted CAs. Where is the file Cargo uses to store these?

I started strace cargo fetch in a random project, and it looks like, on Linux at least, cargo is just using my system certificates:

 524 stat("/etc/pki/ca-trust/extracted/pem", 0x7ffccad52c70) = -1 ENOENT (No such file or directory)
 529 stat("/usr/local/share/cert.pem", 0x7ffccad52da0) = -1 ENOENT (No such file or directory)
 530 stat("/usr/local/share/certs.pem", 0x7ffccad52da0) = -1 ENOENT (No such file or directory)
 531 stat("/usr/local/share/certs/ca-certificates.crt", 0x7ffccad52da0) = -1 ENOENT (No such file or directory)
 532 stat("/usr/local/share/certs/ca-root-nss.crt", 0x7ffccad52da0) = -1 ENOENT (No such file or directory)
 533 stat("/usr/local/share/certs/ca-bundle.crt", 0x7ffccad52da0) = -1 ENOENT (No such file or directory)
 534 stat("/usr/local/share/CARootCertificates.pem", 0x7ffccad52da0) = -1 ENOENT (No such file or directory)
 535 stat("/usr/local/share/tls-ca-bundle.pem", 0x7ffccad52da0) = -1 ENOENT (No such file or directory)
 537 stat("/etc/ssl/cert.pem", {st_mode=S_IFREG|0444, st_size=220132, ...}) = 0
 571 openat(AT_FDCWD, "/etc/ssl/cert.pem", O_RDONLY) = 3

/etc/ssl/cert.pem contains many certificates, and one of them is good enough for cargo by default.

The registry is hosted by default on GitHub, which is ultimately signed by "DigiCert High Assurance EV Root CA" which is indeed contained in this file.

On some distributions (although I do not know how standard that is), you can add a certificate to the system store using the command:

# trust anchor your-cert.crt

You can set an alternative CA store with the environment variable CARGO_HTTP_CAINFO or with the configuration variable http.cainfo

As in to set the CA for bash with an environmental variable: export CARGO_HTTP_CAINFO=/path/to/alterative.pem