Add note about local overrides.

README

@@ -33,3 +33,6 @@ include this CA into the ca-bundle.crt (used for GnuTLS), it must have
 serverAuth trust. Additionally, to explicitly disallow a certificate for a
 particular use, replace the -addtrust flag with the -addreject flag.
 
+Local trust overrides are handled entirely using the /etc/ssl/local directory.
+To override Mozilla's trust values, simple make a copy of the certificate in
+the local directory with alternate trust values.