In the Fedora's python-certifi package, we patch the logic to not use the bundled root certificate, but the system one instead:
https://src.fedoraproject.org/rpms/python-certifi/blob/f27/f/python-certifi.spec#_71 (using f27 branch here to have a stable line number)
python-pip bundles it's own certifi (and for multiple reasons we don't unbundle stuff from pip), pipenv bundles a patched version of pip. We should make sure to apply the same patch in both.
certifi is a (rather insecure) hack for platforms that don't have a good central location for the root certificates, we should not be using their pem cerificate from pip or pipenv.
What's the status of that?
The PR broke virtualenv. I've fixed it upstream. Needs backport. If you'd like to help, propose a Fedora python-virtualenv PR. Or I'll get to it tomorrow.