diff --git a/src/crypto/x509/root_darwin.go b/src/crypto/x509/root_darwin.go
index 05593bb105..a6a11eeec1 100644
--- a/src/crypto/x509/root_darwin.go
+++ b/src/crypto/x509/root_darwin.go
@@ -11,6 +11,7 @@ import (
 	"bytes"
 	macOS "crypto/x509/internal/macos"
 	"fmt"
+	"io/ioutil"
 	"os"
 	"strings"
 )
@@ -22,6 +23,14 @@ func (c *Certificate) systemVerify(opts *VerifyOptions) (chains [][]*Certificate
 }
 
 func loadSystemRoots() (*CertPool, error) {
+	if file := os.Getenv("NIX_SSL_CERT_FILE"); file != "" {
+		data, err := ioutil.ReadFile(file)
+		if err == nil {
+			roots := NewCertPool()
+			roots.AppendCertsFromPEM(data)
+			return roots, nil
+		}
+	}
 	var trustedRoots []*Certificate
 	untrustedRoots := make(map[string]bool)
 
diff --git a/src/crypto/x509/root_unix.go b/src/crypto/x509/root_unix.go
index dede825edd..ffb3caf4a4 100644
--- a/src/crypto/x509/root_unix.go
+++ b/src/crypto/x509/root_unix.go
@@ -9,6 +9,7 @@ package x509
 
 import (
 	"io/fs"
+	"io/ioutil"
 	"os"
 	"path/filepath"
 	"strings"
@@ -32,6 +33,13 @@ func (c *Certificate) systemVerify(opts *VerifyOptions) (chains [][]*Certificate
 
 func loadSystemRoots() (*CertPool, error) {
 	roots := NewCertPool()
+	if file := os.Getenv("NIX_SSL_CERT_FILE"); file != "" {
+		data, err := ioutil.ReadFile(file)
+		if err == nil {
+			roots.AppendCertsFromPEM(data)
+			return roots, nil
+		}
+	}
 
 	files := certFiles
 	if f := os.Getenv(certFileEnv); f != "" {