Ah, ok.
To be clear, you only need to customize the CACerts at all when downloading from sites that use (or appear to use) certificates issued by your CA.
In normal usage, that means internal websites hosting content for your custom Fixlets, or the Inventory catalog downloads coming from your BFI server (assuming you have replaced BFI’s default self-signed certificate with a certificate issued by your CA).
In many deployments, a proxy server will be configured to decrypt your Internet downloads, replacing the HTTPS session with your Proxy’s certificate. In that case you need to add trust for your internal CA so those proxied connections are trusted.
If you aren’t hosting custom downloads, and aren’t using a decrypting proxy, and haven’t replaced Inventory’s certificate, then all you need is to either trust the Inventory server’s self-signed certificate, or replace Inventory’s certificate with one you do trust (from your CA, and configure the root server to trust your CA); or keep the _BESRelay_Download_UntrustedSites
setting so your root server ignores the “untrusted certificate” error.