diff --git a/Tests/LibTLS/TestTLSHandshake.cpp b/Tests/LibTLS/TestTLSHandshake.cpp
index f3ff6c6fa9..c7b0d35834 100644
--- a/Tests/LibTLS/TestTLSHandshake.cpp
+++ b/Tests/LibTLS/TestTLSHandshake.cpp
@@ -72,8 +72,11 @@ Vector<Certificate> load_certificates()
             continue;
         }
         auto certificate = certificate_result.release_value();
-        if (certificate.is_certificate_authority)
+        if (certificate.is_certificate_authority && certificate.is_self_signed()) {
             certificates.append(move(certificate));
+        } else {
+            dbgln("Skipped '{}' because it is not a valid root CA", certificate.subject_identifier_string());
+        }
     }
 
     return certificates;
diff --git a/Userland/Libraries/LibTLS/TLSv12.cpp b/Userland/Libraries/LibTLS/TLSv12.cpp
index e60b830349..d2ff01791b 100644
--- a/Userland/Libraries/LibTLS/TLSv12.cpp
+++ b/Userland/Libraries/LibTLS/TLSv12.cpp
@@ -522,12 +522,11 @@ void DefaultRootCACertificates::reload_certificates(ByteBuffer& data)
             continue;
         }
         auto certificate = certificate_result.release_value();
-        // FIXME: We might want to check additional things here to make sure we only load root CAs:
-        //        - Root certificates are self-signed
-        //        - Either it has matched Authority Key Identifier with Subject Key Identifier,
-        //        - in some cases there is no Authority Key identifier, then Issuer string should match with Subject string
-        if (certificate.is_certificate_authority)
+        if (certificate.is_certificate_authority && certificate.is_self_signed()) {
             m_ca_certificates.append(move(certificate));
+        } else {
+            dbgln("Skipped '{}' because it is not a valid root CA", certificate.subject_identifier_string());
+        }
     }
 
     dbgln("Loaded {} of {} ({:.2}%) provided CA Certificates", m_ca_certificates.size(), certs.size(), (m_ca_certificates.size() * 100.0) / certs.size());