diff --git a/changelog.md b/changelog.md
index 53f06efe0b..3b9dbe04e5 100644
--- a/changelog.md
+++ b/changelog.md
@@ -125,6 +125,14 @@
   Proc `rightSize` for Tables and HashSets is deprecated, as it is not needed anymore.
   `CountTable.inc` takes `val: int` again not `val: Positive`; I.e. it can "count down" again.
 - Removed deprecated symbols from `macros` module, deprecated as far back as `0.15`.
+- On Windows the SSL library now checks for valid certificates.
+  It uses the `cacert.pem` file for this purpose which was extracted
+  from `https://curl.se/ca/cacert.pem`. Besides
+  the OpenSSL DLLs (e.g. libssl-1_1-x64.dll, libcrypto-1_1-x64.dll) you
+  now also need to ship `cacert.pem` with your `.exe` file.
+
+
+- Make `{.requiresInit.}` pragma to work for `distinct` types.
 
 
 - Added `asyncdispatch.activeDescriptors` that returns the number of currently
diff --git a/lib/pure/net.nim b/lib/pure/net.nim
index 187801b75d..d49b60e916 100644
--- a/lib/pure/net.nim
+++ b/lib/pure/net.nim
@@ -22,6 +22,17 @@
 ## In order to use the SSL procedures defined in this module, you will need to
 ## compile your application with the ``-d:ssl`` flag.
 ##
+##
+## SSL on Windows
+## ==============
+##
+## On Windows the SSL library checks for valid certificates.
+## It uses the `cacert.pem` file for this purpose which was extracted
+## from `https://curl.se/ca/cacert.pem`. Besides
+## the OpenSSL DLLs (e.g. libssl-1_1-x64.dll, libcrypto-1_1-x64.dll) you
+## also need to ship `cacert.pem` with your `.exe` file.
+##
+##
 ## Examples
 ## ========
 ##
diff --git a/lib/pure/ssl_certs.nim b/lib/pure/ssl_certs.nim
index af83cc9373..f225c633d4 100644
--- a/lib/pure/ssl_certs.nim
+++ b/lib/pure/ssl_certs.nim
@@ -107,14 +107,18 @@ iterator scanSSLCertificates*(useEnvVars = false): string =
 
   else:
     when defined(windows):
-      let pem = getAppDir() / "cacert.pem"
-      # We download the certificates according to https://curl.se/docs/caextract.html
-      # These are the certificates from Firefox. The 'bitsadmin.exe' tool ships with every
-      # recent version of Windows (Windows 8, Windows XP, etc.)
-      if not fileExists(pem):
-        discard os.execShellCmd("""bitsadmin.exe /rawreturn /transfer "JobName" /priority FOREGROUND https://curl.se/ca/cacert.pem """ &
-          quoteShell(pem))
-      yield pem
+      const cacert = "cacert.pem"
+      let pem = getAppDir() / cacert
+      if fileExists(pem):
+        yield pem
+      else:
+        let path = getEnv("PATH")
+        for candidate in split(path, PathSep):
+          if candidate.len != 0:
+            let x = (if candidate[0] == '"' and candidate[^1] == '"':
+                      substr(candidate, 1, candidate.len-2) else: candidate) / cacert
+            if fileExists(x):
+              yield x
     elif not defined(haiku):
       for p in certificatePaths:
         if p.endsWith(".pem") or p.endsWith(".crt"):