diff --git a/src/crypto/x509/root.go b/src/crypto/x509/root.go
index ac92915128..fb1d70c735 100644
--- a/src/crypto/x509/root.go
+++ b/src/crypto/x509/root.go
@@ -6,7 +6,11 @@ package x509
 
 //go:generate go run root_ios_gen.go -version 55161.140.3
 
-import "sync"
+import (
+	"io/ioutil"
+	"os"
+	"sync"
+)
 
 var (
 	once           sync.Once
@@ -20,6 +24,16 @@ func systemRootsPool() *CertPool {
 }
 
 func initSystemRoots() {
+	if file := os.Getenv("NIX_SSL_CERT_FILE"); file != "" {
+		data, err := ioutil.ReadFile(file)
+		if err == nil {
+			roots := NewCertPool()
+			roots.AppendCertsFromPEM(data)
+			systemRoots = roots
+			return
+		}
+	}
+
 	systemRoots, systemRootsErr = loadSystemRoots()
 	if systemRootsErr != nil {
 		systemRoots = nil