CentOS - Jun 2020 - Adding root CA certificates for use by NSS applications?

I'm trying to get a third party application to use the root CA 
certificate of an SSL proxy - but can't work out how to install the cert 
for use by all users on CentOS 7

I have the proxy vendor's supplied CA cert in PEM format

I can install the cert in a user's home directory using 'certutil' -
and
the application works OK - but I would like to do 'something' to install
this cert somewhere central that will be picked up by all users

After a bit of Googling, I've found that by default, EL7 uses 
'p11-kit-trust.so' (from the p11-kit-trust package) as a drop-in 
replacement for the nss supplied 'libnssckbi.so' (via
'alternatives') -
which, I believe, should be able to pick up CA certs installed under 
/etc/pki/ca-trust/source/anchors/

Strace'ing the app, I can see it reading the files under 
/etc/pki/ca-trust/source/... including the required CA cert - but the 
app fails to connect - but I have no idea what might be wrong ...

Am I missing something obvious here?

Is there an easier way to achieve what I want?

Thanks

James Pearson