diff --git a/src/crypto/x509/root_darwin_test.go b/src/crypto/x509/root_darwin_test.go
index 27806538121f6..5ad19d72cd12a 100644
--- a/src/crypto/x509/root_darwin_test.go
+++ b/src/crypto/x509/root_darwin_test.go
@@ -5,6 +5,7 @@
 package x509
 
 import (
+	"crypto/rsa"
 	"os"
 	"os/exec"
 	"path/filepath"
@@ -104,6 +105,14 @@ func TestSystemRoots(t *testing.T) {
 			continue
 		}
 
+		// On 10.11 there are five unexplained roots that only show up from the
+		// C API. They have in common the fact that they are old, 1024-bit
+		// certificates. It's arguably better to ignore them anyway.
+		if key, ok := c.PublicKey.(*rsa.PublicKey); ok && key.N.BitLen() == 1024 {
+			t.Logf("1024-bit certificate only present in cgo pool (acceptable): %v", c.Subject)
+			continue
+		}
+
 		t.Errorf("certificate only present in cgo pool: %v", c.Subject)
 	}