diff --git a/ca-certs.diff b/ca-certs.diff
new file mode 100644
index 0000000..5ca6fb3
--- /dev/null
+++ b/ca-certs.diff
@@ -0,0 +1,49 @@
+From d8c8d99713e8417461d99aa907afc4621fd85915 Mon Sep 17 00:00:00 2001
+From: Pat Riehecky <riehecky@fnal.gov>
+Date: Fri, 6 Sep 2019 09:11:41 -0500
+Subject: [PATCH] Add additional ways to seed a SSL CA and fall back to default
+ CA store
+
+---
+ lib/Ocsinventory/Agent.pm | 28 +++++++++++++++++++++++++++-
+ 1 file changed, 27 insertions(+), 1 deletion(-)
+
+diff --git a/lib/Ocsinventory/Agent.pm b/lib/Ocsinventory/Agent.pm
+index 6de71b73..65259d14 100644
+--- a/lib/Ocsinventory/Agent.pm
++++ b/lib/Ocsinventory/Agent.pm
+@@ -158,7 +158,33 @@ sub run {
+ 
+     # Setting SSL CA file path if not set in configuration
+     unless ($config->{config}{ca}) {
+-        $config->{config}{ca} = $config->{config}{vardir}."/cacert.pem";
++        # use server specific cacert.pem if it exists
++        $config->{config}{ca} = $config->{config}{vardir}.'/cacert.pem';
++
++        unless (-e $config->{config}{vardir}.'/cacert.pem') {
++            # if no server specific cacert.pem, look for a bundle in our config dir
++            foreach (@{$self->{config}{etcdir}}) {
++                if (-e $_.'/ocsinventory-agent-cacert.pem') {
++                    $config->{config}{ca} = $_.'/ocsinventory-agent-cacert.pem';
++                    last;
++                }
++            }
++
++            # Still no CA cert?  Drop back to system default store.
++            if ($config->{config}{ca} == $config->{config}{vardir}.'/cacert.pem') {
++                if (-e '/etc/pki/tls/certs/ca-bundle.crt') {
++                    # RPM systems
++                    $logger->info("Trying system CA /etc/pki/tls/certs/ca-bundle.crt");
++                    $config->{config}{ca} = '/etc/pki/tls/certs/ca-bundle.crt';
++                } elsif (-e '/etc/ssl/certs/ca-certificates.crt') {
++                    # DEB/Arch/Gentoo systems
++                    #  some RPM systems may have this too, but should use
++                    #  /etc/pki/tls/certs/ca-bundle.crt instead.
++                    $logger->info("Trying system CA /etc/ssl/certs/ca-certificates.crt");
++                    $config->{config}{ca} = '/etc/ssl/certs/ca-certificates.crt';
++                }
++            }
++        }
+     }
+ 
+ ################################################################################################################
diff --git a/ocsinventory-agent.spec b/ocsinventory-agent.spec
index 39d7f52..d35e7ab 100644
--- a/ocsinventory-agent.spec
+++ b/ocsinventory-agent.spec
@@ -22,7 +22,7 @@ Name:      ocsinventory-agent
 Summary:   Open Computer and Software Inventory Next Generation client
 
 Version:   2.6.0
-Release:   2.1%{?dist}
+Release:   3%{?dist}
 
 Source0:   https://github.com/OCSInventory-NG/UnixAgent/releases/download/v%{official_version}/Ocsinventory-Unix-Agent-%{official_version}.tar.gz
 
@@ -39,6 +39,7 @@ Source33:   ocsinventory-agent-daily.timer
 Patch0001:	fix_unused_user.diff
 Patch0002:	fix_syntax.diff
 Patch0003:	fix_lspci.diff
+Patch0004:	ca-certs.diff
 
 License:   GPLv2+
 URL:       http://www.ocsinventory-ng.org/
@@ -300,6 +301,9 @@ rm %{buildroot}%{_sbindir}/ipdiscover
 
 
 %changelog
+* Wed Dec 18 2019 Pat Riehecky <riehecky@fnal.gov> - 2.6.0-3
+- Use system CA certs if no custom client CA set
+
 * Tue Dec 03 2019 Pat Riehecky <riehecky@fnal.gov> - 2.6.0-2.1
 - Backport a few patches from upstream