diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc
index 36c89bee9..05d6685da 100644
--- a/src/libstore/build/local-derivation-goal.cc
+++ b/src/libstore/build/local-derivation-goal.cc
@@ -1777,7 +1777,8 @@ void LocalDerivationGoal::runChild()
                     if (pathExists(path))
                         ss.push_back(path);
 
-                dirsInChroot.emplace(settings.caFile, "/etc/ssl/certs/ca-certificates.crt");
+                if (settings.caFile != "")
+                    dirsInChroot.try_emplace("/etc/ssl/certs/ca-certificates.crt", settings.caFile, true);
             }
 
             for (auto & i : ss) dirsInChroot.emplace(i, i);
diff --git a/tests/linux-sandbox-cert-test.nix b/tests/linux-sandbox-cert-test.nix
new file mode 100644
index 000000000..2b86dad2e
--- /dev/null
+++ b/tests/linux-sandbox-cert-test.nix
@@ -0,0 +1,29 @@
+{ fixed-output }:
+
+with import ./config.nix;
+
+mkDerivation ({
+  name = "ssl-export";
+  buildCommand = ''
+    # Add some indirection, otherwise grepping into the debug output finds the string.
+    report () { echo CERT_$1_IN_SANDBOX; }
+
+    if [ -f /etc/ssl/certs/ca-certificates.crt ]; then
+      content=$(</etc/ssl/certs/ca-certificates.crt)
+      if [ "$content" == CERT_CONTENT ]; then
+        report present
+      fi
+    else
+      report missing
+    fi
+
+    # Always fail, because we do not want to bother with fixed-output
+    # derivations being cached, and do not want to compute the right hash.
+    false;
+  '';
+} // (
+  if fixed-output == "fixed-output"
+  then { outputHash = "sha256:0000000000000000000000000000000000000000000000000000000000000000"; }
+  else { }
+))
+
diff --git a/tests/linux-sandbox.sh b/tests/linux-sandbox.sh
index 5a2cf7abd..45f0ce7a4 100644
--- a/tests/linux-sandbox.sh
+++ b/tests/linux-sandbox.sh
@@ -40,3 +40,27 @@ grepQuiet 'may not be deterministic' $TEST_ROOT/log
 
 # Test that sandboxed builds cannot write to /etc easily
 (! nix-build -E 'with import ./config.nix; mkDerivation { name = "etc-write"; buildCommand = "echo > /etc/test"; }' --no-out-link --sandbox-paths /nix/store)
+
+
+## Test mounting of SSL certificates into the sandbox
+testCert () {
+    (! nix-build linux-sandbox-cert-test.nix --argstr fixed-output "$2" --no-out-link --sandbox-paths /nix/store --option ssl-cert-file "$3" 2> $TEST_ROOT/log)
+    cat $TEST_ROOT/log
+    grepQuiet "CERT_${1}_IN_SANDBOX" $TEST_ROOT/log
+}
+
+nocert=$TEST_ROOT/no-cert-file.pem
+cert=$TEST_ROOT/some-cert-file.pem
+echo -n "CERT_CONTENT" > $cert
+
+# No cert in sandbox when not a fixed-output derivation
+testCert missing normal       "$cert"
+
+# No cert in sandbox when ssl-cert-file is empty
+testCert missing fixed-output ""
+
+# No cert in sandbox when ssl-cert-file is a nonexistent file
+testCert missing fixed-output "$nocert"
+
+# Cert in sandbox when ssl-cert-file is set to an existing file
+testCert present fixed-output "$cert"