diff --git a/moq-relay/src/config.rs b/moq-relay/src/config.rs
index 71ed02f..a0a6646 100644
--- a/moq-relay/src/config.rs
+++ b/moq-relay/src/config.rs
@@ -24,6 +24,13 @@ pub struct Config {
 	#[arg(long)]
 	pub tls_key: Vec<path::PathBuf>,
 
+	/// Use the TLS root at this path, encoded as PEM.
+	///
+	/// This value can be provided multiple times for multiple roots.
+	/// If this is empty, system roots will be used instead
+	#[arg(long)]
+	pub tls_root: Vec<path::PathBuf>,
+
 	/// Optional: Use the moq-api via HTTP to store origin information.
 	#[arg(long)]
 	pub api: Option<Url>,
diff --git a/moq-relay/src/tls.rs b/moq-relay/src/tls.rs
index aa85aac..14eeff2 100644
--- a/moq-relay/src/tls.rs
+++ b/moq-relay/src/tls.rs
@@ -38,9 +38,22 @@ impl Tls {
 		// Create a list of acceptable root certificates.
 		let mut roots = RootCertStore::empty();
 
-		// Add the platform's native root certificates.
-		for cert in rustls_native_certs::load_native_certs().context("could not load platform certs")? {
-			roots.add(&Certificate(cert.0)).context("failed to add root cert")?;
+		if config.tls_root.is_empty() {
+			// Add the platform's native root certificates.
+			for cert in rustls_native_certs::load_native_certs().context("could not load platform certs")? {
+				roots.add(&Certificate(cert.0)).context("failed to add root cert")?;
+			}
+		} else {
+			// Add the specified root certificates.
+			for root in &config.tls_root {
+				let root = fs::File::open(root).context("failed to open root cert file")?;
+				let mut root = io::BufReader::new(root);
+				let root = rustls_pemfile::certs(&mut root).context("failed to read root cert")?;
+				anyhow::ensure!(root.len() == 1, "expected a single root cert");
+				let root = Certificate(root[0].to_owned());
+
+				roots.add(&root).context("failed to add root cert")?;
+			}
 		}
 
 		let certs = Self {