diff --git a/zunclient/common/websocketclient/websocketclient.py b/zunclient/common/websocketclient/websocketclient.py
index c2459e62..1f29e223 100644
--- a/zunclient/common/websocketclient/websocketclient.py
+++ b/zunclient/common/websocketclient/websocketclient.py
@@ -23,6 +23,7 @@ from oslo_log import log as logging
 import select
 import signal
 import socket
+import ssl
 import struct
 import sys
 import termios
@@ -241,6 +242,8 @@ class WebSocketClient(BaseClient):
             self.ws = websocket.create_connection(
                 url, skip_utf8_validation=True,
                 origin=self._compute_origin_header(url),
+                sslopt={'cert_reqs': ssl.CERT_REQUIRED,
+                        'ca_certs': self.get_system_ca_file()},
                 subprotocols=["binary", "base64"])
             print('connected to %s, press Enter to continue' % self.id)
             print('type %s. to disconnect' % self.escape)
@@ -267,6 +270,20 @@ class WebSocketClient(BaseClient):
     def recv(self):
         return self.ws.recv()
 
+    @staticmethod
+    def get_system_ca_file():
+        """Return path to system default CA file."""
+        # Standard CA file locations for Debian/Ubuntu, RedHat/Fedora,
+        # Suse, FreeBSD/OpenBSD
+        ca_path = ['/etc/ssl/certs/ca-certificates.crt',
+                   '/etc/pki/tls/certs/ca-bundle.crt',
+                   '/etc/ssl/ca-bundle.pem',
+                   '/etc/ssl/cert.pem']
+        for ca in ca_path:
+            if os.path.exists(ca):
+                return ca
+        return None
+
 
 class AttachClient(WebSocketClient):