diff --git a/cmd/go-cache-plugin/addca_darwin.go b/cmd/go-cache-plugin/addca_darwin.go
new file mode 100644
index 0000000..9da496f
--- /dev/null
+++ b/cmd/go-cache-plugin/addca_darwin.go
@@ -0,0 +1,37 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+package main
+
+import (
+	"os"
+	"os/exec"
+
+	"github.com/creachadair/command"
+	"github.com/creachadair/tlsutil"
+)
+
+func installSigningCert(env *command.Env, cert tlsutil.Certificate) error {
+	tf, err := os.CreateTemp("", "addca.*")
+	if err != nil {
+		return err
+	}
+	defer os.Remove(tf.Name())
+	defer tf.Close()
+
+	if _, err := tf.Write(cert.CertPEM()); err != nil {
+		return err
+	} else if err := tf.Close(); err != nil {
+		return err
+	}
+
+	const systemKeychain = "/Library/Keychains/System.keychain"
+	return sudo("security", "add-trusted-cert", "-d", "-k", systemKeychain, tf.Name())
+}
+
+func sudo(args ...string) error {
+	cmd := exec.Command("sudo", args...)
+	cmd.Stdout = os.Stderr
+	cmd.Stderr = os.Stderr
+	return cmd.Run()
+}
diff --git a/cmd/go-cache-plugin/addca_default.go b/cmd/go-cache-plugin/addca_default.go
index c62fee8..e862478 100644
--- a/cmd/go-cache-plugin/addca_default.go
+++ b/cmd/go-cache-plugin/addca_default.go
@@ -1,7 +1,7 @@
 // Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
-//go:build !linux
+//go:build !(linux || darwin)
 
 package main
 
@@ -13,9 +13,7 @@ import (
 )
 
 func installSigningCert(env *command.Env, cert tlsutil.Certificate) error {
-	// TODO(creachadair): Maybe crib some other cases from mkcert, if we need
-	// them, for example:
-	// https://github.com/FiloSottile/mkcert/blob/master/truststore_darwin.go
+	// TODO(creachadair): Maybe crib other cases from mkcert, if we need them.
 
 	return errors.New("unable to install a certificate on this system")
 }