On host:
sudo apt-get install libnss3-tools
hg clone https://hg.mozilla.org/mozilla-central
cd mozilla-central
nss-addbuiltin -n "SomeMaliciousCA" -t "CT,C,C" < ~/malicious.der >> security/nss/lib/ckfw/builtins/certdata.txt
sudo docker run -v "/mozilla-central:/mozilla-central" -ti ubuntu:focal /bin/bash
Inside docker: