diff --git a/test/cpp/util/create_test_channel.cc b/test/cpp/util/create_test_channel.cc
index a521162bea210c02c33781b7b5a5894bf6fe9714..301e9a3c3a36884598eb58d72f5527d9c973f292 100644
--- a/test/cpp/util/create_test_channel.cc
+++ b/test/cpp/util/create_test_channel.cc
@@ -45,6 +45,8 @@ namespace grpc {
 // override_hostname is provided.
 // When ssl is not enabled, override_hostname is ignored.
 // Set use_prod_root to true to use the SSL root for connecting to google.
+// In this case, path to the roots pem file must be set via environment variable
+// GRPC_DEFAULT_SSL_ROOTS_FILE_PATH.
 // Otherwise, root for test SSL cert will be used.
 // creds will be used to create a channel when enable_ssl is true.
 // Use examples:
@@ -60,7 +62,7 @@ std::shared_ptr<ChannelInterface> CreateTestChannel(
   ChannelArguments channel_args;
   if (enable_ssl) {
     const char* roots_certs =
-        use_prod_roots ? prod_roots_certs : test_root_cert;
+        use_prod_roots ? "" : test_root_cert;
     SslCredentialsOptions ssl_opts = {roots_certs, "", ""};
 
     std::unique_ptr<Credentials> channel_creds =
diff --git a/tools/dockerfile/grpc_cxx/Dockerfile b/tools/dockerfile/grpc_cxx/Dockerfile
index 43da9fefc378959184fcf203d519a3541591fb79..9b20e7a58e48e339dfac9932485e625bea616b7c 100644
--- a/tools/dockerfile/grpc_cxx/Dockerfile
+++ b/tools/dockerfile/grpc_cxx/Dockerfile
@@ -22,5 +22,7 @@ RUN cd /var/local/git/grpc && ls \
   && make interop_server
 
 ADD service_account service_account
+ADD cacerts cacerts
+ENV GRPC_DEFAULT_SSL_ROOTS_FILE_PATH /cacerts/roots.pem
 
 CMD ["/var/local/git/grpc/bins/opt/interop_server", "--enable_ssl", "--port=8010"]
diff --git a/tools/gce_setup/shared_startup_funcs.sh b/tools/gce_setup/shared_startup_funcs.sh
index eea940864da23295532426a4c363ce975cd68f83..a6f73d16367ef011fc1af30f7768ad40249ecad9 100755
--- a/tools/gce_setup/shared_startup_funcs.sh
+++ b/tools/gce_setup/shared_startup_funcs.sh
@@ -389,6 +389,7 @@ grpc_dockerfile_install() {
     grpc_docker_sync_service_account $dockerfile_dir/service_account || return 1;
   }
   [[ $image_label == "grpc/cxx" ]] && {
+    grpc_docker_sync_roots_pem $dockerfile_dir/cacerts || return 1;
     grpc_docker_sync_service_account $dockerfile_dir/service_account || return 1;
   }