diff --git a/httptap.go b/httptap.go
index 53ffb6b..4595a8a 100644
--- a/httptap.go
+++ b/httptap.go
@@ -255,9 +255,15 @@ func Main() error {
 	}
 	defer os.RemoveAll(tempdir)
 
+	// marshal certificate authority to PEM format
+	caPEM, err := certfile.MarshalPEM(ca.Certificate)
+	if err != nil {
+		return fmt.Errorf("error marshaling certificate authority to PEM format: %w", err)
+	}
+
 	// write certificate authority to PEM file
 	caPath := filepath.Join(tempdir, "ca-certificates.crt")
-	err = certfile.WritePEM(caPath, ca.Certificate)
+	err = os.WriteFile(caPath, caPEM, 0666)
 	if err != nil {
 		return fmt.Errorf("error writing certificate authority to temporary PEM file: %w", err)
 	}
@@ -265,7 +271,7 @@ func Main() error {
 
 	// write certificate authority to another common PEM file
 	caPath2 := filepath.Join(tempdir, "ca-bundle.crt")
-	err = certfile.WritePEM(caPath2, ca.Certificate)
+	err = os.WriteFile(caPath2, caPEM, 0666)
 	if err != nil {
 		return fmt.Errorf("error writing certificate authority to temporary PEM file: %w", err)
 	}
@@ -422,6 +428,19 @@ func Main() error {
 		defer mount.Remove()
 	}
 
+	// overlay common certificate authority file locations
+	var caLocations = []string{"/etc/ssl/certs/ca-certificates.crt"}
+	for _, path := range caLocations {
+		if st, err := os.Lstat(path); err == nil && st.Mode().IsRegular() && !args.NoOverlay {
+			verbosef("overlaying %v...", path)
+			mount, err := overlay.Mount(filepath.Dir(path), overlay.File(filepath.Base(path), caPEM))
+			if err != nil {
+				return fmt.Errorf("error setting up overlay: %w", err)
+			}
+			defer mount.Remove()
+		}
+	}
+
 	// switch user and group if requested
 	if args.User != "" {
 		u, err := user.Lookup(args.User)
diff --git a/pkg/certfile/certfile.go b/pkg/certfile/certfile.go
index def6c95..19bea53 100644
--- a/pkg/certfile/certfile.go
+++ b/pkg/certfile/certfile.go
@@ -1,6 +1,7 @@
 package certfile
 
 import (
+	"bytes"
 	"crypto/x509"
 	"encoding/pem"
 	"fmt"
@@ -9,6 +10,19 @@ import (
 	"software.sslmate.com/src/go-pkcs12"
 )
 
+// MarshalPEM encodes an x509 certficate to bytes in PEM format
+func MarshalPEM(certificate *x509.Certificate) ([]byte, error) {
+	var b bytes.Buffer
+	err := pem.Encode(&b, &pem.Block{
+		Type:  "CERTIFICATE",
+		Bytes: certificate.Raw,
+	})
+	if err != nil {
+		return nil, err
+	}
+	return b.Bytes(), nil
+}
+
 // WritePEM writes an x509 certificate to a PEM file
 func WritePEM(path string, certificate *x509.Certificate) (err error) {
 	var f *os.File