diff --git a/ci/docker/windows/prepare_gst_env.ps1 b/ci/docker/windows/prepare_gst_env.ps1
index b741fce6e9..fd2f70840c 100644
--- a/ci/docker/windows/prepare_gst_env.ps1
+++ b/ci/docker/windows/prepare_gst_env.ps1
@@ -1,9 +1,18 @@
 [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;
 
-# FIXME: Python fails to validate github.com SSL certificate, unless we first
-# run a dummy download to force refreshing Windows' CA database.
-# See: https://bugs.python.org/issue36137
-(New-Object System.Net.WebClient).DownloadString("https://github.com") >$null
+# FIXME: Python fails to validate SSL certificates because of an incorrect
+# schannel implementation. Windows downloads CA certs dynamically as required,
+# and Python doesn't do the right thing to trigger that. So, add Mozilla's
+# certs (via certifi) to the windows cert store manually. See:
+# https://bugs.python.org/issue36137
+# https://bugs.python.org/issue36011
+
+python -m pip install certifi
+$cert_pem = python -m certifi
+$plaintext_pw = 'PASSWORD'
+$secure_pw = ConvertTo-SecureString $plaintext_pw -AsPlainText -Force
+C:\msys64\ucrt64\bin\openssl.exe pkcs12 -export -nokeys -out $env:TEMP\certs.pfx -in $cert_pem -passout pass:$plaintext_pw
+Import-PfxCertificate -Password $secure_pw  -CertStoreLocation Cert:\LocalMachine\Root -FilePath $env:TEMP\certs.pfx
 
 Write-Host "Cloning GStreamer"
 git clone -b $env:DEFAULT_BRANCH https://gitlab.freedesktop.org/gstreamer/gstreamer.git C:\gstreamer
@@ -13,5 +22,5 @@ Write-Host "Downloading subprojects"
 meson subprojects download --sourcedir C:\gstreamer
 
 Write-Host "Caching subprojects into /subprojects/"
-python C:\gstreamer/ci/scripts/handle-subprojects-cache.py --build C:\gstreamer/subprojects/
+python C:/gstreamer/ci/scripts/handle-subprojects-cache.py --build C:/gstreamer/subprojects
 Remove-Item -Recurse -Force C:\gstreamer