diff --git a/src/crypto/x509/root_darwin_amd64.go b/src/crypto/x509/root_darwin_amd64.go
index ce88de025e..258ecc45d1 100644
--- a/src/crypto/x509/root_darwin_amd64.go
+++ b/src/crypto/x509/root_darwin_amd64.go
@@ -10,6 +10,7 @@ import (
 	"bytes"
 	macOS "crypto/x509/internal/macos"
 	"fmt"
+	"io/ioutil"
 	"os"
 	"strings"
 )
@@ -25,6 +26,14 @@ func (c *Certificate) systemVerify(opts *VerifyOptions) (chains [][]*Certificate
 var loadSystemRootsWithCgo func() (*CertPool, error)

 func loadSystemRoots() (*CertPool, error) {
+	if file := os.Getenv("NIX_SSL_CERT_FILE"); file != "" {
+		data, err := ioutil.ReadFile(file)
+		if err == nil {
+			roots := NewCertPool()
+			roots.AppendCertsFromPEM(data)
+			return roots, nil
+		}
+	}
 	var trustedRoots []*Certificate
 	untrustedRoots := make(map[string]bool)

diff --git a/src/crypto/x509/root_unix.go b/src/crypto/x509/root_unix.go
index b48e618a65..195c1ff25a 100644
--- a/src/crypto/x509/root_unix.go
+++ b/src/crypto/x509/root_unix.go
@@ -42,6 +42,13 @@ func (c *Certificate) systemVerify(opts *VerifyOptions) (chains [][]*Certificate

 func loadSystemRoots() (*CertPool, error) {
 	roots := NewCertPool()
+	if file := os.Getenv("NIX_SSL_CERT_FILE"); file != "" {
+		data, err := ioutil.ReadFile(file)
+		if err == nil {
+			roots.AppendCertsFromPEM(data)
+			return roots, nil
+		}
+	}

 	files := certFiles
 	if f := os.Getenv(certFileEnv); f != "" {