diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
index 19b385d70..d1bca749a 100644
--- a/.github/workflows/nightly.yml
+++ b/.github/workflows/nightly.yml
@@ -36,6 +36,9 @@ jobs:
       - name: Invoke tests
         run: |
 
+          # Install Root CA certificates
+          sudo ./devtools/install_certifi.py
+
           # Bootstrap environment.
           source bootstrap.sh
 
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index 984db8ee0..925f5d246 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -37,6 +37,9 @@ jobs:
       - name: Invoke tests
         run: |
 
+          # Install Root CA certificates
+          sudo ./devtools/install_certifi.py
+
           # Bootstrap environment.
           source bootstrap.sh
 
diff --git a/devtools/install_certifi.py b/devtools/install_certifi.py
new file mode 100755
index 000000000..6d95dd7cd
--- /dev/null
+++ b/devtools/install_certifi.py
@@ -0,0 +1,55 @@
+#!/usr/bin/env python
+
+# install_certifi.py
+#
+# sample script to install or update a set of default Root Certificates
+# for the ssl module.  Uses the certificates provided by the certifi package:
+#       https://pypi.python.org/pypi/certifi
+#
+# References:
+#
+# - https://stackoverflow.com/a/44649450
+# - https://github.com/Unbabel/COMET/issues/29#issuecomment-945601519
+# - https://github.com/python/cpython/blob/main/Mac/BuildScript/resources/install_certificates.command
+
+import os
+import os.path
+import ssl
+import stat
+import subprocess
+import sys
+
+STAT_0o775 = ( stat.S_IRUSR | stat.S_IWUSR | stat.S_IXUSR
+             | stat.S_IRGRP | stat.S_IWGRP | stat.S_IXGRP
+             | stat.S_IROTH |                stat.S_IXOTH )  # fmt: skip
+
+
+def main():
+    openssl_dir, openssl_cafile = os.path.split(
+        ssl.get_default_verify_paths().openssl_cafile
+    )
+
+    print(" -- pip install --upgrade certifi")
+    subprocess.check_call(
+        [sys.executable, "-E", "-s", "-m", "pip", "install", "--upgrade", "certifi"]
+    )
+
+    import certifi
+
+    # change working directory to the default SSL directory
+    os.chdir(openssl_dir)
+    relpath_to_certifi_cafile = os.path.relpath(certifi.where())
+    print(" -- removing any existing file or link")
+    try:
+        os.remove(openssl_cafile)
+    except FileNotFoundError:
+        pass
+    print(" -- creating symlink to certifi certificate bundle")
+    os.symlink(relpath_to_certifi_cafile, openssl_cafile)
+    print(" -- setting permissions")
+    os.chmod(openssl_cafile, STAT_0o775)
+    print(" -- update complete")
+
+
+if __name__ == "__main__":
+    main()