diff --git a/CHANGELOG.md b/CHANGELOG.md
index 2070a2637..9451feed1 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -13,6 +13,8 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ### Fixed
 
+- `tt aeon`: did not use system CAs by default.
+
 ## [2.7.0] - 2025-01-22
 
 The release introduces an experimental support of console for AeonDB and
diff --git a/cli/aeon/client.go b/cli/aeon/client.go
index 46a1b1bd8..d4d17734e 100644
--- a/cli/aeon/client.go
+++ b/cli/aeon/client.go
@@ -50,28 +50,35 @@ func getCertificate(args cmd.Ssl) (tls.Certificate, error) {
 }
 
 func getTlsConfig(args cmd.Ssl) (*tls.Config, error) {
+	var pool *x509.CertPool
+
 	if args.CaFile == "" {
-		return &tls.Config{
-			ClientAuth: tls.NoClientCert,
-		}, nil
-	}
+		p, err := x509.SystemCertPool()
+		if err != nil {
+			return nil, fmt.Errorf("failed to load system cert pool: %w", err)
+		}
 
-	ca, err := os.ReadFile(args.CaFile)
-	if err != nil {
-		return nil, fmt.Errorf("failed to read CA file: %w", err)
-	}
-	certPool := x509.NewCertPool()
-	if !certPool.AppendCertsFromPEM(ca) {
-		return nil, errors.New("failed to append CA data")
+		pool = p
+	} else {
+		ca, err := os.ReadFile(args.CaFile)
+		if err != nil {
+			return nil, fmt.Errorf("failed to read CA file: %w", err)
+		}
+
+		pool = x509.NewCertPool()
+		if !pool.AppendCertsFromPEM(ca) {
+			return nil, errors.New("failed to append CA data")
+		}
 	}
+
 	cert, err := getCertificate(args)
 	if err != nil {
 		return nil, fmt.Errorf("failed get certificate: %w", err)
 	}
+
 	return &tls.Config{
 		Certificates: []tls.Certificate{cert},
-		ClientAuth:   tls.RequireAndVerifyClientCert,
-		RootCAs:      certPool,
+		RootCAs:      pool,
 	}, nil
 }