I had success (more or less) on 10.6.8. The existing Firefox wouldn't download isrgrootx1.der exactly, but it did prompt me to trust it, so firefox works again. Yay! Then I downloaded it with wget (from macports which already worked), and dragged it to KeyChain Access.app which only let my user trust it in the "local" keychain.
I tried to add it to the "System Roots" keychain but it didn't work (but there were no errors when I tried, it just didn't end up in the list). Then I followed instructions at this link to export the root certificates from a later macOS and import them:
The new certificates ended up in the "System" keychain (not "System Roots"). It was probably unnecessary, but I changed the script in the above link so as to add them to the "System Roots" keychain, and imported the new roots there. They were imported successfully.
However, Safari still doesn't work, but I'm pretty sure that that's for other reasons. I think it only supports TLSv1.0 and letsencrypt.org and my sites don't support that. Firefox and macports tools all work, but macports already did anyway. That's the main thing.
But I suspect that any other ancient Appleware on that host won't work anymore even with new root certificates, but that's probably to be expected. Luckily, I don't use that host for its fancy webbed footwork.