diff --git a/src/Core/Platform/X509ChainCustomization/X509ChainOptions.cs b/src/Core/Platform/X509ChainCustomization/X509ChainOptions.cs
index 189a1087f5..6cd06acf3c 100644
--- a/src/Core/Platform/X509ChainCustomization/X509ChainOptions.cs
+++ b/src/Core/Platform/X509ChainCustomization/X509ChainOptions.cs
@@ -53,6 +53,10 @@ public sealed class X509ChainOptions
             return false;
         }
 
+        // Do this outside of the callback so that we aren't opening the root store every request.
+        using var store = new X509Store(StoreName.Root, StoreLocation.LocalMachine, OpenFlags.ReadOnly);
+        var rootCertificates = store.Certificates;
+
         // Ref: https://github.com/dotnet/runtime/issues/39835#issuecomment-663020581
         callback = (certificate, chain, errors) =>
         {
@@ -62,6 +66,10 @@ public sealed class X509ChainOptions
             }
 
             chain.ChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust;
+
+            // We want our additional certificates to be in addition to the machines root store.
+            chain.ChainPolicy.CustomTrustStore.AddRange(rootCertificates);
+
             foreach (var additionalCertificate in AdditionalCustomTrustCertificates)
             {
                 chain.ChainPolicy.CustomTrustStore.Add(additionalCertificate);
diff --git a/test/Core.Test/Platform/X509ChainCustomization/X509ChainCustomizationServiceCollectionExtensionsTests.cs b/test/Core.Test/Platform/X509ChainCustomization/X509ChainCustomizationServiceCollectionExtensionsTests.cs
index 2a4ed55489..cec8a2a39d 100644
--- a/test/Core.Test/Platform/X509ChainCustomization/X509ChainCustomizationServiceCollectionExtensionsTests.cs
+++ b/test/Core.Test/Platform/X509ChainCustomization/X509ChainCustomizationServiceCollectionExtensionsTests.cs
@@ -257,6 +257,41 @@ public class X509ChainCustomizationServiceCollectionExtensionsTests
         Assert.Equal("Hi", response);
     }
 
+    [Fact]
+    public async Task CallHttp_ReachingOutToServerTrustedThroughSystemCA()
+    {
+        var services = CreateServices((gs, environment, config) => { }, services =>
+        {
+            services.Configure<X509ChainOptions>(options =>
+            {
+                options.AdditionalCustomTrustCertificates = [];
+            });
+        });
+
+        var httpClient = services.GetRequiredService<IHttpClientFactory>().CreateClient();
+
+        var response = await httpClient.GetAsync("https://example.com");
+        response.EnsureSuccessStatusCode();
+    }
+
+    [Fact]
+    public async Task CallHttpWithCustomTrustForSelfSigned_ReachingOutToServerTrustedThroughSystemCA()
+    {
+        var selfSignedCertificate = CreateSelfSignedCert("localhost");
+        var services = CreateServices((gs, environment, config) => { }, services =>
+        {
+            services.Configure<X509ChainOptions>(options =>
+            {
+                options.AdditionalCustomTrustCertificates = [selfSignedCertificate];
+            });
+        });
+
+        var httpClient = services.GetRequiredService<IHttpClientFactory>().CreateClient();
+
+        var response = await httpClient.GetAsync("https://example.com");
+        response.EnsureSuccessStatusCode();
+    }
+
     private static async Task<IAsyncDisposable> CreateServerAsync(int port, Action<HttpsConnectionAdapterOptions> configure)
     {
         var builder = WebApplication.CreateEmptyBuilder(new WebApplicationOptions());