diff --git a/setup.py b/setup.py
index 38b5d44f2201..924d0382e4ed 100644
--- a/setup.py
+++ b/setup.py
@@ -275,6 +275,7 @@ def build_extensions(self):
 
     python_requires='>={}'.format('.'.join(str(n) for n in min_version)),
     setup_requires=[
+        "certifi>=2020.06.20",
         "numpy>=1.15",
     ],
     install_requires=[
diff --git a/setupext.py b/setupext.py
index ed6a7a76e4a2..fda44ed7db3b 100644
--- a/setupext.py
+++ b/setupext.py
@@ -42,6 +42,13 @@ def _get_hash(data):
     return hasher.hexdigest()
 
 
+@functools.lru_cache()
+def _get_ssl_context():
+    import certifi
+    import ssl
+    return ssl.create_default_context(cafile=certifi.where())
+
+
 def download_or_cache(url, sha):
     """
     Get bytes from the given url or local cache.
@@ -73,7 +80,8 @@ def download_or_cache(url, sha):
     # default User-Agent, but not (for example) wget; so I don't feel too
     # bad passing in an empty User-Agent.
     with urllib.request.urlopen(
-            urllib.request.Request(url, headers={"User-Agent": ""})) as req:
+            urllib.request.Request(url, headers={"User-Agent": ""}),
+            context=_get_ssl_context()) as req:
         data = req.read()
 
     file_sha = _get_hash(data)