I found a way to do it but it seems odd.
sudo cp my-root-ca.crt /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust
This results in a file in /etc/pki/ca-trust/extracted/pem/directory-hash/.
As it turns out this is not where openssl looks by default which is governed by
/etc/pki/tls/openssl.cnf.
Verification can be done with:
openssl verify -CApath /etc/pki/ca-trust/extracted/pem/directory-hash/ ./bar.pem
What I would like to know is how do the various browsers (chrome, firefox) and programs (curl) make use of these root certificates?
Do they use openssl or some std library?