Currently, keyfiles are in /etc/NetworkManager/system-connections (and some limited support is for runtime connections in /run/NetworkManager/system-connections for initrd-generator).
This needs improvement.
A more elaborate description here:
https://bugzilla.gnome.org/show_bug.cgi?id=772414
This is important, if you want to pre-deploy profiles. For example, a company might provide RPMs with VPN setups for their company notebooks. Such configuraion files should not end up in /etc. On the other hand, we might have more generators like initrd-generator. These may want to put profiles in /run.
A WIP branch is at th/settings-delegate-storage.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2019:3623