diff --git a/ca-store-generator.js b/ca-store-generator.js
index 1d66010..a98391b 100644
--- a/ca-store-generator.js
+++ b/ca-store-generator.js
@@ -6,18 +6,10 @@ var fs = require('fs')
   , path = require('path')
   , request = require('request')
   , CERTDB_URL = 'https://mxr.mozilla.org/nss/source/lib/ckfw/builtins/certdata.txt?raw=1'
-  , HEADER
   , outputFile
   , outputPemsDir
   ;
 
-HEADER =
-  "/**\n" +
-  " * Mozilla's root CA store\n" +
-  " *\n" +
-  " * generated from " + CERTDB_URL + "\n" +
-  " */\n\n";
-
 function Certificate() {
   this.name = null;
   this.body = '';
@@ -156,26 +148,9 @@ function dumpCerts(certs, filename, pemsDir) {
 
   fs.writeFileSync(
     filename
-  , HEADER
-      + 'var cas = module.exports = [\n'
-      + certs.map(function (cert) { return cert.quasiPEM().value; }).join(',\n\n')
-      + '\n];\n'
-      + "module.exports.rootCas = cas;\n"
-      + "module.exports.inject = function () {\n"
-      + "  var opts = require('https').globalAgent.options;\n"
-      + "  if (!opts.ca || !opts.ca.__injected) { opts.ca = (opts.ca||[]).concat(cas); }\n"
-      + "  opts.ca.__injected = true;\n"
-      + "  return module.exports;\n"
-      + "};\n"
-      + "module.exports.addFile = function (filepath) {\n"
-      + "  var opts = require('https').globalAgent.options;\n"
-      + "  var root = filepath[0] === '/' ? '/' : '';\n"
-      + "  var filepaths = filepath.split(/\\//g);\n"
-      + "  if (root) { filepaths.unshift(root); }\n"
-      + "  opts.ca = opts.ca || [];\n"
-      + "  opts.ca.push(require('fs').readFileSync(require('path').join.apply(null, filepaths)));\n"
-      + "  return module.exports;\n"
-      + "};\n"
+  , fs.readFileSync(path.join(__dirname, 'ssl-root-cas.tpl.js'), 'utf8')
+      .replace(/\/\*TPL\*\//, certs.map(function (cert) { return cert.quasiPEM().value; }).join(',\n\n'))
+  , 'utf8'
   );
   console.info("Wrote '" + filename.replace(/'/g, "\\'") + "'.");
 }
diff --git a/ssl-root-cas.tpl.js b/ssl-root-cas.tpl.js
new file mode 100644
index 0000000..bcbdd49
--- /dev/null
+++ b/ssl-root-cas.tpl.js
@@ -0,0 +1,49 @@
+/**
+ * Mozilla's root CA store
+ *
+ * generated from https://mxr.mozilla.org/nss/source/lib/ckfw/builtins/certdata.txt?raw=1
+ */
+'use strict';
+
+var originalCas = [
+/*TPL*/
+];
+module.exports.rootCas = module.exports = originalCas.slice(0);
+module.exports.rootCas.inject = function (/*context*/) {
+  var rootCas = this || module.exports.rootCas;
+  var opts = /*context ||*/ require('https').globalAgent.options;
+  if (!opts.ca || !opts.ca.__injected) { opts.ca = (opts.ca||[]).concat(rootCas); }
+  opts.ca.__injected = true;
+  return module.exports;
+};
+module.exports.rootCas.addFile = function (filepath) {
+  // BEGIN TODO
+  // What is this filepath stuff all about?
+  // (maybe be a leftover MS Windows hack ??)
+  // Can we get rid of it?
+  var path = require('path');
+  var root = (filepath[0] === '/' ? '/' : '');
+  var filepaths = filepath.split(/\//g);
+  if (root) { filepaths.unshift(root); }
+  filepath = path.join.apply(null, filepaths);
+  // END TODO
+
+  var httpsOpts = require('https').globalAgent.options;
+  var rootCas = this || module.exports.rootCas;
+  var buf = require('fs').readFileSync(filepath);
+  rootCas.push(buf);
+  // backwards compat
+  if (rootCas !== httpsOpts.ca) {
+    httpsOpts.ca = httpsOpts.ca || [];
+    httpsOpts.ca.push(buf);
+  }
+  return module.exports;
+};
+module.exports.create = function () {
+  var rootCas = originalCas.slice(0);
+
+  rootCas.inject = module.exports.inject;
+  rootCas.addFile = module.exports.addFile;
+
+  return rootCas;
+};