diff --git a/smx509/root_darwin.go b/smx509/root_darwin.go
index 6719854..06ad81e 100644
--- a/smx509/root_darwin.go
+++ b/smx509/root_darwin.go
@@ -1,5 +1,8 @@
 package smx509
 
+//
+// We DO NOT support system verify on darwin due to complex internal package dependencies.
+//
 func (c *Certificate) systemVerify(opts *VerifyOptions) (chains [][]*Certificate, err error) {
 	return nil, nil
 }
diff --git a/smx509/root_linux.go b/smx509/root_linux.go
index 6eb5501..dda7f91 100644
--- a/smx509/root_linux.go
+++ b/smx509/root_linux.go
@@ -1,5 +1,7 @@
 package smx509
 
+import "runtime"
+
 // Possible certificate files; stop after finding one.
 var certFiles = []string{
 	"/etc/ssl/certs/ca-certificates.crt",                // Debian/Ubuntu/Gentoo etc.
@@ -14,5 +16,13 @@ var certFiles = []string{
 var certDirectories = []string{
 	"/etc/ssl/certs",               // SLES10/SLES11, https://golang.org/issue/12139
 	"/etc/pki/tls/certs",           // Fedora/RHEL
-	"/system/etc/security/cacerts", // Android
+}
+
+func init() {
+	if runtime.GOOS == "android" {
+		certDirectories = append(certDirectories,
+			"/system/etc/security/cacerts",    // Android system roots
+			"/data/misc/keychain/certs-added", // User trusted CA folder
+		)
+	}
 }