Right now, you might get lucky if you set process.env.NODE_EXTRA_CA_CERTS = 'foo.crt' real early.

It's not reliable and I don't think NODE_EXTRA_CA_CERTS was intended to be used that way (rather the contrary) so I suggest loading the extra certificates at startup rather than on first use.

Refs #20432.