diff --git a/src/crypto/x509/root_cgo_darwin.go b/src/crypto/x509/root_cgo_darwin.go
index a4b33c7..9700b75 100644
--- a/src/crypto/x509/root_cgo_darwin.go
+++ b/src/crypto/x509/root_cgo_darwin.go
@@ -151,11 +151,20 @@ int FetchPEMRoots(CFDataRef *pemRoots) {
 import "C"
 import (
 	"errors"
+	"io/ioutil"
+	"os"
 	"unsafe"
 )
 
 func loadSystemRoots() (*CertPool, error) {
 	roots := NewCertPool()
+	if file := os.Getenv("NIX_SSL_CERT_FILE"); file != "" {
+		data, err := ioutil.ReadFile(file)
+		if err == nil {
+			roots.AppendCertsFromPEM(data)
+			return roots, nil
+		}
+	}
 
 	var data C.CFDataRef = nil
 	err := C.FetchPEMRoots(&data)
diff --git a/src/crypto/x509/root_darwin.go b/src/crypto/x509/root_darwin.go
index 66cdb5e..bb28036 100644
--- a/src/crypto/x509/root_darwin.go
+++ b/src/crypto/x509/root_darwin.go
@@ -61,17 +61,25 @@ func execSecurityRoots() (*CertPool, error) {
 		println(fmt.Sprintf("crypto/x509: %d certs have a trust policy", len(hasPolicy)))
 	}

-	cmd := exec.Command("/usr/bin/security", "find-certificate", "-a", "-p", "/System/Library/Keychains/SystemRootCertificates.keychain")
-	data, err := cmd.Output()
-	if err != nil {
-		return nil, err
-	}
-
 	var (
 		mu          sync.Mutex
 		roots       = NewCertPool()
 		numVerified int // number of execs of 'security verify-cert', for debug stats
 	)

+	if file := os.Getenv("NIX_SSL_CERT_FILE"); file != "" {
+		data, err := ioutil.ReadFile(file)
+		if err == nil {
+			roots.AppendCertsFromPEM(data)
+			return roots, nil
+		}
+	}
+
+	cmd := exec.Command("/usr/bin/security", "find-certificate", "-a", "-p", "/System/Library/Keychains/SystemRootCertificates.keychain")
+	data, err := cmd.Output()
+	if err != nil {
+		return nil, err
+	}
+
 	blockCh := make(chan *pem.Block)
 	var wg sync.WaitGroup
diff --git a/src/crypto/x509/root_unix.go b/src/crypto/x509/root_unix.go
index 7bcb3d6..3986e1a 100644
--- a/src/crypto/x509/root_unix.go
+++ b/src/crypto/x509/root_unix.go
@@ -24,6 +24,14 @@ func (c *Certificate) systemVerify(opts *VerifyOptions) (chains [][]*Certificate
 
 func loadSystemRoots() (*CertPool, error) {
 	roots := NewCertPool()
+	if file := os.Getenv("NIX_SSL_CERT_FILE"); file != "" {
+		data, err := ioutil.ReadFile(file)
+		if err == nil {
+			roots.AppendCertsFromPEM(data)
+			return roots, nil
+		}
+	}
+
 	var firstErr error
 	for _, file := range certFiles {
 		data, err := ioutil.ReadFile(file)