Ubuntu has an update repository of the Certificate Authorities in what they call the System-Wide Certificate Authority Database.
Most likely any recognized CA and Intermediate certificates are already in the database and expired or new certificates.
See the section Certificate into the System-Wide Authority Database on the Ubuntu OpenSSL Help website.
dpkg -S "/etc/ssl/certs"
openssl, ca-certificates: /etc/ssl/certs
dpkg -L ca-certificates