diff --git a/modules/wrapper-manager/sandboxing/bubblewrap/default.nix b/modules/wrapper-manager/sandboxing/bubblewrap/default.nix
index ae36b319..cad6f3ce 100644
--- a/modules/wrapper-manager/sandboxing/bubblewrap/default.nix
+++ b/modules/wrapper-manager/sandboxing/bubblewrap/default.nix
@@ -44,6 +44,10 @@ let
       default = if isGlobal then true else cfg.enableNetwork;
     };
 
+    enableBundledCertificates = lib.mkEnableOption "bundling additional certificates from nixpkgs" // {
+      default = if isGlobal then true else cfg.enableBundledCertificates;
+    };
+
     enableIsolation = lib.mkEnableOption "unsharing most of the system" // {
       default = if isGlobal then true else cfg.enableIsolation;
     };
@@ -106,6 +110,10 @@ in
               ];
             })
 
+            (lib.mkIf submoduleCfg.enableBundledCertificates {
+              sandboxing.bubblewrap.sharedNixPaths = [ pkgs.cacert ];
+            })
+
             (lib.mkIf submoduleCfg.enableIsolation {
               sandboxing.bubblewrap.extraArgs = lib.mkBefore [ "--unshare-all" ];
             })