diff --git a/control-plane-operator/controllers/hostedcontrolplane/v2/oauth/idp_convert.go b/control-plane-operator/controllers/hostedcontrolplane/v2/oauth/idp_convert.go
index 0ae63c9ec5..8f6090c72f 100644
--- a/control-plane-operator/controllers/hostedcontrolplane/v2/oauth/idp_convert.go
+++ b/control-plane-operator/controllers/hostedcontrolplane/v2/oauth/idp_convert.go
@@ -689,7 +689,10 @@ func transportForCARef(ctx context.Context, kclient crclient.Reader, namespace,
 	transport := net.SetTransportDefaults(&http.Transport{
 		TLSClientConfig: &tls.Config{},
 	})
-	roots := x509.NewCertPool()
+	roots, err := x509.SystemCertPool()
+	if err != nil {
+		return nil, fmt.Errorf("failed to create system cert pool: %w", err)
+	}
 
 	if !skipKonnectivityDialer {
 		var err error
diff --git a/control-plane-operator/controllers/hostedcontrolplane/v2/oauth/idp_convert_test.go b/control-plane-operator/controllers/hostedcontrolplane/v2/oauth/idp_convert_test.go
index ca7c19e3fe..4d57d8c1ca 100644
--- a/control-plane-operator/controllers/hostedcontrolplane/v2/oauth/idp_convert_test.go
+++ b/control-plane-operator/controllers/hostedcontrolplane/v2/oauth/idp_convert_test.go
@@ -380,7 +380,8 @@ users:
 			g.Expect(gotURL).To(Equal(tc.expectedProxyRequestURL))
 
 			// Validate RootCAs expectations.
-			expectedCertPool := x509.NewCertPool()
+			expectedCertPool, err := x509.SystemCertPool()
+			g.Expect(err).ToNot(HaveOccurred())
 			if tc.hcp.Spec.Configuration != nil {
 				if tc.hcp.Spec.Configuration.Proxy.TrustedCA.Name != "" {
 					expectedCertPool.AppendCertsFromPEM([]byte(fakeProxyCertCADecoded))