This feature is needed by anyone using standard public CA infrastructure (like getting certificates from Lets Encrypt) for their SSL in front of their MQTT broker - which is often recommended practice now.
The patch above would largely work, but is now blocked in 07.xx firmware in the UI itself - it won't let you enable the MQTT bridge with TLS unless there is a CA certificate provided.
My current workaround is to to create a new CA certificate in "System>Administration>Certificates", making sure to name it "ca" and enable the option to sign it. This creates a new certificate in "/etc/certificates/ca.cert.pem" that is selectable as an option in the MQTT broker bridge settings.
Because I actually need this certificate to be the default system CA bundle, I then symlink the bundle to the new custom CA cert location with "ln -fs /etc/cacert.pem /etc/certificates/ca.cert.pem", either via SSH or by adding it into the startup script in "System>Custom Scripts".
With this now selected in the MQTT broker bridge settings, it allows me to enable it, and the CA bundle is successfully used to connect to my public MQTT broker.
I imagine the simplest way to implement this properly as a feature in future firmware would be to allow the use of the default system ca bundle at "/etc/cacert.pem" as a supplied CA certificate in the certificate manager page (rather than having to do the little dance with the symlink above). The MQTT bridge system already allows the user to select one of the certificates provided on the device here, so it would show up as an option.