And yes, since the Linux distros can't agree on a reliable way for third party applications to find the system certificate store without distro-specific patches, I'd agree that bundling certifi and patching your Python builds is your best currently available option for getting good "out of the box" behaviour. Donald tried to make location autodetection work for pip, but the distros unfortunately not only can't agree on how the default certs should be located, they also don't make sure the other potential locations reliable give a detectable error :(
Given your context of use though, the one potential incompatibility you're going to have to watch out for is losing access to any custom CA certificates that are installed into the system trust stores (since certifi won't have any knowledge of those).