diff --git a/net/bakedroots/bakedroots.go b/net/bakedroots/bakedroots.go
index f7e4fa21e..42e70c0dd 100644
--- a/net/bakedroots/bakedroots.go
+++ b/net/bakedroots/bakedroots.go
@@ -16,7 +16,12 @@ import (
 //
 // As of 2025-01-21, this includes only the LetsEncrypt ISRG Root X1 root.
 func Get() *x509.CertPool {
-	roots.once.Do(func() { roots.parsePEM([]byte(letsEncryptX1)) })
+	roots.once.Do(func() {
+		roots.parsePEM(append(
+			[]byte(letsEncryptX1),
+			letsEncryptX2...,
+		))
+	})
 	return roots.p
 }
 
@@ -120,3 +125,25 @@ mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
 emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
 -----END CERTIFICATE-----
 `
+
+// letsEncryptX2 is the ISRG Root X2.
+//
+// Subject: O = Internet Security Research Group, CN = ISRG Root X2
+// Key type: ECDSA P-384
+// Validity: until 2035-09-04 (generated 2020-09-04)
+const letsEncryptX2 = `
+-----BEGIN CERTIFICATE-----
+MIICGzCCAaGgAwIBAgIQQdKd0XLq7qeAwSxs6S+HUjAKBggqhkjOPQQDAzBPMQsw
+CQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJuZXQgU2VjdXJpdHkgUmVzZWFyY2gg
+R3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBYMjAeFw0yMDA5MDQwMDAwMDBaFw00
+MDA5MTcxNjAwMDBaME8xCzAJBgNVBAYTAlVTMSkwJwYDVQQKEyBJbnRlcm5ldCBT
+ZWN1cml0eSBSZXNlYXJjaCBHcm91cDEVMBMGA1UEAxMMSVNSRyBSb290IFgyMHYw
+EAYHKoZIzj0CAQYFK4EEACIDYgAEzZvVn4CDCuwJSvMWSj5cz3es3mcFDR0HttwW
++1qLFNvicWDEukWVEYmO6gbf9yoWHKS5xcUy4APgHoIYOIvXRdgKam7mAHf7AlF9
+ItgKbppbd9/w+kHsOdx1ymgHDB/qo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0T
+AQH/BAUwAwEB/zAdBgNVHQ4EFgQUfEKWrt5LSDv6kviejM9ti6lyN5UwCgYIKoZI
+zj0EAwMDaAAwZQIwe3lORlCEwkSHRhtFcP9Ymd70/aTSVaYgLXTWNLxBo1BfASdW
+tL4ndQavEi51mI38AjEAi/V3bNTIZargCyzuFJ0nN6T5U6VR5CmD1/iQMVtCnwr1
+/q4AaOeMSQ+2b1tbFfLn
+-----END CERTIFICATE-----
+`
diff --git a/net/bakedroots/bakedroots_test.go b/net/bakedroots/bakedroots_test.go
index 9aa4366c8..8ba502a78 100644
--- a/net/bakedroots/bakedroots_test.go
+++ b/net/bakedroots/bakedroots_test.go
@@ -3,13 +3,30 @@
 
 package bakedroots
 
-import "testing"
+import (
+	"slices"
+	"testing"
+)
 
 func TestBakedInRoots(t *testing.T) {
 	ResetForTest(t, nil)
 	p := Get()
 	got := p.Subjects()
-	if len(got) != 1 {
-		t.Errorf("subjects = %v; want 1", len(got))
+	if len(got) != 2 {
+		t.Errorf("subjects = %v; want 2", len(got))
+	}
+
+	// TODO(bradfitz): is there a way to easily make this test prettier without
+	// writing a DER decoder? I'm not seeing how.
+	var name []string
+	for _, der := range got {
+		name = append(name, string(der))
+	}
+	want := []string{
+		"0O1\v0\t\x06\x03U\x04\x06\x13\x02US1)0'\x06\x03U\x04\n\x13 Internet Security Research Group1\x150\x13\x06\x03U\x04\x03\x13\fISRG Root X1",
+		"0O1\v0\t\x06\x03U\x04\x06\x13\x02US1)0'\x06\x03U\x04\n\x13 Internet Security Research Group1\x150\x13\x06\x03U\x04\x03\x13\fISRG Root X2",
+	}
+	if !slices.Equal(name, want) {
+		t.Errorf("subjects = %q; want %q", name, want)
 	}
 }