diff --git a/include/grpc/grpc_security.h b/include/grpc/grpc_security.h
index 46e493b347afce5238a849e19ba3a4dbb398baa0..c588ec3f1ce1578bf2217a9359041072fedbb754 100644
--- a/include/grpc/grpc_security.h
+++ b/include/grpc/grpc_security.h
@@ -143,15 +143,14 @@ grpc_channel_credentials *grpc_google_default_credentials_create(void);
 #define GRPC_DEFAULT_SSL_ROOTS_FILE_PATH_ENV_VAR \
   "GRPC_DEFAULT_SSL_ROOTS_FILE_PATH"
 
-/* Overrides the default path for TLS/SSL roots.
-   The path must point to a PEM encoded file with all the roots such as the one
-   that can be downloaded from https://pki.google.com/roots.pem.
+/* Overrides the default TLS/SSL roots.
+   The roots must be encoded as PEM and NULL-terminated.
    This function is not thread-safe and must be called at initialization time
    before any ssl credentials are created to have the desired side effect.
-   It also does not do any checks about the validity or contents of the path.
-   If the GRPC_DEFAULT_SSL_ROOTS_FILE_PATH environment is set, it will override
-   the roots_path specified in this function. */
-void grpc_override_ssl_default_roots_file_path(const char *roots_path);
+   It also does not do any checks about the validity of the encoding.
+   If the GRPC_DEFAULT_SSL_ROOTS_FILE_PATH environment is set to a valid path,
+   it will override the roots specified in this function. */
+void grpc_override_ssl_default_roots(const char *roots_pem);
 
 /* Object that holds a private key / certificate chain pair in PEM format. */
 typedef struct {
@@ -169,10 +168,9 @@ typedef struct {
      of the server root certificates. If this parameter is NULL, the
      implementation will first try to dereference the file pointed by the
      GRPC_DEFAULT_SSL_ROOTS_FILE_PATH environment variable, and if that fails,
-     try to get the roots from the path specified in the function
-     grpc_override_ssl_default_roots_file_path. Eventually, if all these fail,
-     it will try to get the roots from a well-known place on disk (in the grpc
-     install directory).
+     try to get the roots set by grpc_override_ssl_default_roots. Eventually,
+     if all these fail, it will try to get the roots from a well-known place on
+     disk (in the grpc install directory).
    - pem_key_cert_pair is a pointer on the object containing client's private
      key and certificate chain. This parameter can be NULL if the client does
      not have such a key/cert pair. */
diff --git a/src/core/security/security_connector.c b/src/core/security/security_connector.c
index 7e5cb67146b9b75d14d348c72376b50fc38d6e66..8a67243a18faf85911ea3a0512537297954b70be 100644
--- a/src/core/security/security_connector.c
+++ b/src/core/security/security_connector.c
@@ -61,12 +61,12 @@ static const char *installed_roots_path =
     INSTALL_PREFIX "/share/grpc/roots.pem";
 #endif
 
-/* -- Overridden default roots file path. -- */
+/* -- Overridden default roots. -- */
 
-static const char *overridden_default_roots_file_path = NULL;
+static gpr_slice overridden_default_roots;
 
-void grpc_override_ssl_default_roots_file_path(const char *roots_path) {
-  overridden_default_roots_file_path = roots_path;
+void grpc_override_ssl_default_roots(const char *roots_pem) {
+  overridden_default_roots = gpr_slice_from_copied_string(roots_pem);
 }
 
 /* -- Cipher suites. -- */
@@ -616,8 +616,8 @@ static gpr_slice compute_default_pem_root_certs_once(void) {
 
   /* Try overridden roots path if needed. */
   if (GPR_SLICE_IS_EMPTY(result) &&
-      overridden_default_roots_file_path != NULL) {
-    result = gpr_load_file(overridden_default_roots_file_path, 0, NULL);
+      !GPR_SLICE_IS_EMPTY(overridden_default_roots)) {
+    result = gpr_slice_ref(overridden_default_roots);
   }
 
   /* Fall back to installed certs if needed. */
diff --git a/test/core/security/security_connector_test.c b/test/core/security/security_connector_test.c
index ed9f87dccc03a965ead69c76345dc87fe54a58d4..6cf7e61c0a7ffe389584fda3c97d49fbdbbee358 100644
--- a/test/core/security/security_connector_test.c
+++ b/test/core/security/security_connector_test.c
@@ -304,13 +304,6 @@ static void test_default_ssl_roots(void) {
   const char *roots_for_override_api = "roots for override api";
   const char *roots_for_env_var = "roots for env var";
 
-  char *roots_api_file_path;
-  FILE *roots_api_file =
-      gpr_tmpfile("test_roots_for_api_override", &roots_api_file_path);
-  fwrite(roots_for_override_api, 1, strlen(roots_for_override_api),
-         roots_api_file);
-  fclose(roots_api_file);
-
   char *roots_env_var_file_path;
   FILE *roots_env_var_file =
       gpr_tmpfile("test_roots_for_env_var", &roots_env_var_file_path);
@@ -318,7 +311,7 @@ static void test_default_ssl_roots(void) {
   fclose(roots_env_var_file);
 
   /* First let's get the root through the override (no env are set). */
-  grpc_override_ssl_default_roots_file_path(roots_api_file_path);
+  grpc_override_ssl_default_roots(roots_for_override_api);
   gpr_slice roots = grpc_get_default_ssl_roots_for_testing();
   char *roots_contents = gpr_dump_slice(roots, GPR_DUMP_ASCII);
   gpr_slice_unref(roots);
@@ -344,15 +337,10 @@ static void test_default_ssl_roots(void) {
   gpr_free(roots_contents);
 
   /* Cleanup. */
-  remove(roots_api_file_path);
   remove(roots_env_var_file_path);
-  gpr_free(roots_api_file_path);
   gpr_free(roots_env_var_file_path);
-
 }
 
-/* TODO(jboeuf): Unit-test tsi_shallow_peer_from_auth_context. */
-
 int main(int argc, char **argv) {
   grpc_test_init(argc, argv);
   grpc_init();