diff --git a/src/libstore/globals.cc b/src/libstore/globals.cc
index 439a6f97c..79bb69132 100644
--- a/src/libstore/globals.cc
+++ b/src/libstore/globals.cc
@@ -77,6 +77,23 @@ Settings::Settings()
     if (sslOverride != "")
         caFile = sslOverride;
 
+#ifdef __APPLE__
+    if(caFile.get().starts_with("keychain:")){
+        debug("reading %s",caFile.get());
+        auto caContents = runProgram("/usr/bin/security", false, {"find-certificate", "-a", "-p", caFile.get().substr(9)});
+        if (caContents.empty()){
+            warn("reading '%s' found no certificates",caFile.get());
+        }
+        auto caFilePath = settings.nixConfDir + "/ssl-cert-file.keychain";
+        auto caFilePathTmp = caFilePath + ".tmp";
+        debug("writing to %s",caFilePathTmp);
+        writeFile(caFilePathTmp.c_str(),caContents);
+        // check failure?
+        std::rename(caFilePathTmp.c_str(), caFilePath.c_str());
+        caFile = caFilePath;
+    }
+#endif
+
     /* Backwards compatibility. */
     auto s = getEnv("NIX_REMOTE_SYSTEMS");
     if (s) {
diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh
index 8760c9d14..6a6ca5a83 100644
--- a/src/libstore/globals.hh
+++ b/src/libstore/globals.hh
@@ -1061,6 +1061,12 @@ public:
 
           1. `NIX_SSL_CERT_FILE`
           2. `SSL_CERT_FILE`
+
+          Darwin only: The path can also be of form keychain:/path-to-keychain
+          which will read the OSX keychain and write it to the config directory
+          and use that file as the CA file. For example, setting
+          "keychain:/System/Library/Keychains/SystemRootCertificates.keychain"
+          will write to "/etc/nix/ssl-cert-file.keychain".
         )"};
 
 #if __linux__