diff --git a/Cargo.lock b/Cargo.lock
index 90fc405..7d4b7f5 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1713,9 +1713,9 @@ dependencies = [
 
 [[package]]
 name = "tonic"
-version = "0.12.1"
+version = "0.12.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "38659f4a91aba8598d27821589f5db7dddd94601e7a01b1e485a50e5484c7401"
+checksum = "c6f6ba989e4b2c58ae83d862d3a3e27690b6e3ae630d0deb59f3697f32aa88ad"
 dependencies = [
  "async-stream",
  "async-trait",
diff --git a/Cargo.toml b/Cargo.toml
index 2bad788..70890e8 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -20,7 +20,7 @@ prost = "0.13"
 serde = { version = "1.0", features = ["derive"] }
 syslog = "7.0"
 thiserror = "1.0"
-tonic = { version = "0.12", features = ["gzip", "tls", "tls-roots"] }
+tonic = { version = "0.12", features = ["gzip", "tls", "tls-native-roots"] }
 tokio = { version = "1", features = ["macros", "rt-multi-thread"] }
 tokio-stream = { version = "0.1", features = [] }
 toml = { version = "0.8", default-features = false, features = ["parse"] }
diff --git a/src/gateway.rs b/src/gateway.rs
index 2dd8adc..7665f61 100644
--- a/src/gateway.rs
+++ b/src/gateway.rs
@@ -326,12 +326,14 @@ impl Gateway {
             .http2_keep_alive_interval(TEN_SECS)
             .tcp_keepalive(Some(TEN_SECS))
             .keep_alive_while_idle(true);
+        // if CA certificate is provided, use it (and only it)
+        // otherwise load certs from system
         let endpoint = if let Some(ca) = &self.config.grpc_ca {
             let ca = std::fs::read_to_string(ca)?;
             let tls = ClientTlsConfig::new().ca_certificate(Certificate::from_pem(ca));
             endpoint.tls_config(tls)?
         } else {
-            endpoint
+            endpoint.tls_config(ClientTlsConfig::new().with_native_roots())?
         };
         let channel = endpoint.connect_lazy();