open-horizon · dlarson04 · Jul 2, 2024
diff --git a/cli/cliutils/cliutils.go b/cli/cliutils/cliutils.go
@@ -1098,20 +1098,28 @@ func GetIcpCertPath() string {
 
 // TrustIcpCert adds the icp cert file to be trusted in calls made by the given http client
 func TrustIcpCert(httpClient *http.Client) error {
-	icpCertPath := GetIcpCertPath()
-	if icpCertPath != "" {
-		icpCert, err := ioutil.ReadFile(icpCertPath)
-		if err != nil {
-			return fmt.Errorf(i18n.GetMessagePrinter().Sprintf("Encountered error reading ICP cert file %v: %v", icpCertPath, err))
-		}
-		caCertPool := x509.NewCertPool()
-		caCertPool.AppendCertsFromPEM(icpCert)
-
-		transport := httpClient.Transport.(*http.Transport)
-		transport.TLSClientConfig.RootCAs = caCertPool
-
-	}
-	return nil
+        icpCertPath := GetIcpCertPath()
+
+        var caCertPool *x509.CertPool
+        var err error
+
+        // Trust the system certs like the anax agent code can
+        caCertPool, err = x509.SystemCertPool()
+        if err != nil {
+                return err
+        }
+
+        if icpCertPath != "" {
+                icpCert, err := ioutil.ReadFile(icpCertPath)
+                if err != nil {
+                        return fmt.Errorf(i18n.GetMessagePrinter().Sprintf("Encountered error reading ICP cert file %v: %v", icpCertPath, err))
+                }
+                caCertPool.AppendCertsFromPEM(icpCert)
+        }
+
+        transport := httpClient.Transport.(*http.Transport)
+        transport.TLSClientConfig.RootCAs = caCertPool
+        return nil
 }
 
 // Get exchange url from /etc/default/horizon file. if not set, check /etc/horizon/anax.json file