diff --git a/Meta/CMake/ca_certificates_data.cmake b/Meta/CMake/ca_certificates_data.cmake
new file mode 100644
index 0000000000..6265d416af
--- /dev/null
+++ b/Meta/CMake/ca_certificates_data.cmake
@@ -0,0 +1,23 @@
+include(${CMAKE_CURRENT_LIST_DIR}/utils.cmake)
+
+set(CACERT_PATH "${SERENITY_CACHE_DIR}/CACERT" CACHE PATH "Download location for cacert.pem")
+
+set(CACERT_VERSION 2023-01-10)
+set(CACERT_VERSION_FILE "${CACERT_PATH}/version.txt")
+
+set(CACERT_FILE cacert-${CACERT_VERSION}.pem)
+set(CACERT_URL https://curl.se/ca/${CACERT_FILE})
+set(CACERT_INSTALL_FILE cacert.pem)
+
+if (ENABLE_CACERT_DOWNLOAD)
+    remove_path_if_version_changed("${CACERT_VERSION}" "${CACERT_VERSION_FILE}" "${CACERT_PATH}")
+
+    download_file("${CACERT_URL}" "${CACERT_PATH}/${CACERT_FILE}")
+
+    if (SERENITYOS)
+        set(CACERT_INSTALL_PATH ${CMAKE_STAGING_PREFIX}/etc/${CACERT_INSTALL_FILE})
+    else()
+        set(CACERT_INSTALL_PATH ${CMAKE_CURRENT_BINARY_DIR}/${CACERT_INSTALL_FILE})
+    endif()
+    configure_file(${CACERT_PATH}/${CACERT_FILE} ${CACERT_INSTALL_PATH} COPYONLY)
+endif()
diff --git a/Meta/CMake/common_options.cmake b/Meta/CMake/common_options.cmake
index f6155fb0a9..1dc234ae96 100644
--- a/Meta/CMake/common_options.cmake
+++ b/Meta/CMake/common_options.cmake
@@ -18,6 +18,7 @@ serenity_option(ENABLE_TIME_ZONE_DATABASE_DOWNLOAD ON CACHE BOOL "Enable downloa
 serenity_option(ENABLE_UNICODE_DATABASE_DOWNLOAD ON CACHE BOOL "Enable download of Unicode UCD and CLDR files at build time")
 serenity_option(INCLUDE_WASM_SPEC_TESTS OFF CACHE BOOL "Download and include the WebAssembly spec testsuite")
 serenity_option(INCLUDE_FLAC_SPEC_TESTS OFF CACHE BOOL "Download and include the FLAC spec testsuite")
+serenity_option(ENABLE_CACERT_DOWNLOAD ON CACHE BOOL "Enable download of cacert.pem at build time")
 
 serenity_option(HACKSTUDIO_BUILD OFF CACHE BOOL "Automatically enabled when building from HackStudio")
 
diff --git a/Meta/Lagom/CMakeLists.txt b/Meta/Lagom/CMakeLists.txt
index b8196b67e8..a2b47181c7 100644
--- a/Meta/Lagom/CMakeLists.txt
+++ b/Meta/Lagom/CMakeLists.txt
@@ -588,7 +588,6 @@ if (BUILD_LAGOM)
             LibPDF
             LibSQL
             LibTextCodec
-            LibTLS
             LibTTF
             LibTimeZone
             LibUnicode
@@ -602,6 +601,9 @@ if (BUILD_LAGOM)
             add_serenity_subdirectory("Tests/${dir}")
         endforeach()
 
+        # LibTLS needs a special working directory to find cacert.pem
+        lagom_test(../../Tests/LibTLS/TestTLSHandshake.cpp LibTLS LIBS LibTLS LibCrypto)
+
         # LibCore
         lagom_test(../../Tests/LibCore/TestLibCoreIODevice.cpp WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/../../Tests/LibCore)
 
@@ -717,3 +719,5 @@ if (NOT "$ENV{LAGOM_TARGET}" STREQUAL "")
         VERBATIM
     )
 endif()
+
+include(ca_certificates_data)
diff --git a/Userland/Libraries/LibTLS/CMakeLists.txt b/Userland/Libraries/LibTLS/CMakeLists.txt
index 71049f13e4..6b71b23657 100644
--- a/Userland/Libraries/LibTLS/CMakeLists.txt
+++ b/Userland/Libraries/LibTLS/CMakeLists.txt
@@ -13,3 +13,5 @@ set(SOURCES
 
 serenity_lib(LibTLS tls)
 target_link_libraries(LibTLS PRIVATE LibCore LibCrypto)
+
+include(ca_certificates_data)