diff --git a/install-tl b/install-tl
index 4b43170b..1c53a830 100755
--- a/install-tl
+++ b/install-tl
@@ -914,7 +914,9 @@ sub final_remote_init {
   } elsif ($media eq "NET") {
     info("Distribution: net  (downloading)\n");
     info("Using URL: $TeXLiveURL\n");
-    TeXLive::TLUtils::setup_persistent_downloads() if $opt_persistent_downloads;
+    TeXLive::TLUtils::setup_persistent_downloads(
+      "$::installerdir/tlpkg/installer/curl/curl-ca-bundle.crt"
+    ) if $opt_persistent_downloads;
   } else {
     info("Distribution: $media\n");
   }
diff --git a/texmf-dist/scripts/texlive/tlmgr.pl b/texmf-dist/scripts/texlive/tlmgr.pl
index 2dc8a582..86c821ce 100755
--- a/texmf-dist/scripts/texlive/tlmgr.pl
+++ b/texmf-dist/scripts/texlive/tlmgr.pl
@@ -690,7 +690,9 @@ sub main {
   # if we are asked to use persistent connections try to start it here
   ddebug("tlmgr:main: do persistent downloads = $opts{'persistent-downloads'}\n");
   if ($opts{'persistent-downloads'}) {
-    TeXLive::TLUtils::setup_persistent_downloads() ;
+    TeXLive::TLUtils::setup_persistent_downloads(
+      "$Master/tlpkg/installer/curl/curl-ca-bundle.crt"
+    ) ;
   }
   if (!defined($::tldownload_server)) {
     debug("tlmgr:main: ::tldownload_server not defined\n");
diff --git a/tlpkg/TeXLive/TLDownload.pm b/tlpkg/TeXLive/TLDownload.pm
index 75fd01fa..be30dfd3 100644
--- a/tlpkg/TeXLive/TLDownload.pm
+++ b/tlpkg/TeXLive/TLDownload.pm
@@ -40,10 +40,11 @@ if ($@) {
 sub new
 {
   my $class = shift;
+  my %params = @_;
   my $self = {};
   $self->{'initcount'} = 0;
   bless $self, $class;
-  $self->reinit();
+  $self->reinit(defined($params{'certificates'}) ? $params{'certificates'} : "");
   return $self;
 }
 
@@ -52,6 +53,7 @@ sub new
 
 sub reinit {
   my $self = shift;
+  my $certs = shift;
   
   # Irritatingly, as of around version 6.52, when env_proxy is set, LWP
   # started unconditionally complaining if the environment contains
@@ -68,6 +70,14 @@ sub reinit {
     @env_proxy = ("env_proxy", 1);
   }
   #
+  # Set HTTPS_CA_FILE to the TL provided certificate bundle
+  # for systems that don't have a system-wide certificate bundle
+  # in particular MacOS.
+  if ((! exists $ENV{'HTTPS_CA_FILE'}) && $certs) {
+    debug("Setting env var HTTPS_CA_FILE to " . $certs ."\n");
+    $ENV{'HTTPS_CA_FILE'} = $certs
+  }
+  #
   my $ua = LWP::UserAgent->new(
     agent => "texlive/lwp",
     # use LWP::ConnCache, and keep 1 connection open
diff --git a/tlpkg/TeXLive/TLUtils.pm b/tlpkg/TeXLive/TLUtils.pm
index 69566bc3..4997be20 100644
--- a/tlpkg/TeXLive/TLUtils.pm
+++ b/tlpkg/TeXLive/TLUtils.pm
@@ -4229,6 +4229,7 @@ false.
 =cut
 
 sub setup_persistent_downloads {
+  my $certs = shift;
   if ($TeXLive::TLDownload::net_lib_avail) {
     ddebug("setup_persistent_downloads has net_lib_avail set\n");
     if ($::tldownload_server) {
@@ -4236,10 +4237,10 @@ sub setup_persistent_downloads {
         debug("stop retrying to initialize LWP after 10 failures\n");
         return 0;
       } else {
-        $::tldownload_server->reinit();
+        $::tldownload_server->reinit(certificates => $certs);
       }
     } else {
-      $::tldownload_server = TeXLive::TLDownload->new;
+      $::tldownload_server = TeXLive::TLDownload->new(certificates => $certs);
     }
     if (!defined($::tldownload_server)) {
       ddebug("TLUtils:setup_persistent_downloads: failed to get ::tldownload_server\n");