diff --git a/packages/sandbox/Dockerfile b/packages/sandbox/Dockerfile
index b73c4d2b8..3430cfd1a 100644
--- a/packages/sandbox/Dockerfile
+++ b/packages/sandbox/Dockerfile
@@ -226,11 +226,12 @@ FROM golang:1.25-bookworm AS go-builder
 
 RUN mkdir -p /usr/local/share/ca-certificates
 RUN --mount=type=secret,id=wrangler_ca \
+    apt-get update && apt-get install -y --no-install-recommends ca-certificates && \
     if [ -f /run/secrets/wrangler_ca ] && [ -s /run/secrets/wrangler_ca ]; then \
-        cp /run/secrets/wrangler_ca /usr/local/share/ca-certificates/wrangler-dev-ca.crt && \
-        apt-get update && apt-get install -y --no-install-recommends ca-certificates && \
-        update-ca-certificates; \
-    fi
+        cp /run/secrets/wrangler_ca /usr/local/share/ca-certificates/wrangler-dev-ca.crt; \
+    fi && \
+    update-ca-certificates && \
+    rm -rf /var/lib/apt/lists/*
 
 RUN apt-get update && apt-get install -y --no-install-recommends \
     gcc libx11-dev libxtst-dev libxinerama-dev libpng-dev \
diff --git a/packages/sandbox/scripts/docker-local.sh b/packages/sandbox/scripts/docker-local.sh
index 0798e9c99..b74d8f015 100755
--- a/packages/sandbox/scripts/docker-local.sh
+++ b/packages/sandbox/scripts/docker-local.sh
@@ -6,6 +6,7 @@ cd "$(dirname "$0")/../../.."
 
 VERSION="$npm_package_version"
 IMAGE="cloudflare/sandbox-test"
+WRANGLER_CA_CERT="${NODE_EXTRA_CA_CERTS:-${SSL_CERT_FILE:-/dev/null}}"
 
 docker build \
   -f packages/sandbox/Dockerfile \
@@ -29,7 +30,7 @@ docker build \
   --platform linux/amd64 \
   --build-arg SANDBOX_VERSION="$VERSION" \
   -t "$IMAGE:$VERSION-opencode" \
-  --secret id=wrangler_ca,src="${NODE_EXTRA_CA_CERTS:-/dev/null}" \
+  --secret id=wrangler_ca,src="$WRANGLER_CA_CERT" \
   .
 
 docker build \
@@ -38,7 +39,7 @@ docker build \
   --platform linux/amd64 \
   --build-arg SANDBOX_VERSION="$VERSION" \
   -t "$IMAGE:$VERSION-desktop" \
-  --secret id=wrangler_ca,src="${NODE_EXTRA_CA_CERTS:-/dev/null}" \
+  --secret id=wrangler_ca,src="$WRANGLER_CA_CERT" \
   .
 
 STANDALONE_DIR="tests/e2e/test-worker"
@@ -57,5 +58,5 @@ docker build \
   --platform linux/amd64 \
   --build-arg SANDBOX_VERSION="$VERSION" \
   -t "$IMAGE:$VERSION-musl" \
-  --secret id=wrangler_ca,src="${NODE_EXTRA_CA_CERTS:-/dev/null}" \
+  --secret id=wrangler_ca,src="$WRANGLER_CA_CERT" \
   .