diff --git a/client/daemon/daemon.go b/client/daemon/daemon.go
index fd39c8e2b..e4acac391 100644
--- a/client/daemon/daemon.go
+++ b/client/daemon/daemon.go
@@ -504,6 +504,7 @@ func (*clientDaemon) prepareTCPListener(opt config.ListenOption, withTLS bool) (
 		caCertPool := x509.NewCertPool()
 		caCertPool.AppendCertsFromPEM([]byte(opt.Security.CACert))
 		tlsConfig.ClientCAs = caCertPool
+		tlsConfig.RootCAs = caCertPool
 		if opt.Security.TLSVerify {
 			tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
 		}
diff --git a/client/daemon/peer/piece_downloader.go b/client/daemon/peer/piece_downloader.go
index 8af419621..d01b32890 100644
--- a/client/daemon/peer/piece_downloader.go
+++ b/client/daemon/peer/piece_downloader.go
@@ -153,7 +153,10 @@ func NewPieceDownloader(timeout time.Duration, caCertPool *x509.CertPool) PieceD
 
 	if caCertPool != nil {
 		pd.scheme = "https"
-		defaultTransport.(*http.Transport).TLSClientConfig = &tls.Config{ClientCAs: caCertPool}
+		defaultTransport.(*http.Transport).TLSClientConfig = &tls.Config{
+			ClientCAs: caCertPool,
+			RootCAs:   caCertPool,
+		}
 	}
 
 	return pd
diff --git a/pkg/rpc/credential.go b/pkg/rpc/credential.go
index 463aad900..ba1068645 100644
--- a/pkg/rpc/credential.go
+++ b/pkg/rpc/credential.go
@@ -64,6 +64,7 @@ func NewServerCredentialsByCertify(tlsPolicy string, tlsVerify bool, pemClientCA
 			return certifyClient.GetCertificate(hello)
 		},
 		ClientCAs: certPool,
+		RootCAs:   certPool,
 	}
 
 	if tlsVerify {