diff --git a/gateway/src/apicast/cli/command/start.lua b/gateway/src/apicast/cli/command/start.lua
index 69e8f8a4c..f8ae783ba 100644
--- a/gateway/src/apicast/cli/command/start.lua
+++ b/gateway/src/apicast/cli/command/start.lua
@@ -13,6 +13,7 @@ local exec = require('resty.execvp')
 local resty_env = require('resty.env')
 local re = require('ngx.re')
 local resty_url = require('resty.url')
+local system = require('resty.system')
 
 local Template = require('apicast.cli.template')
 local Environment = require('apicast.cli.environment')
@@ -146,7 +147,10 @@ local function build_context(options, config)
 
 
     context.prefix = apicast_root()
-    context.ca_bundle = pl.path.abspath(tostring(context.ca_bundle) or pl.path.join(context.prefix, 'conf', 'ca-bundle.crt'))
+
+    context.ca_bundle = pl.path.abspath(tostring(context.ca_bundle)
+                        or system.get_system_trusted_certs_filepath()
+                        or pl.path.join(context.prefix, 'conf', 'ca-bundle.crt'))
 
     context.access_log_file = options.access_log_file
 
diff --git a/gateway/src/resty/system.lua b/gateway/src/resty/system.lua
new file mode 100644
index 000000000..4e5446ba6
--- /dev/null
+++ b/gateway/src/resty/system.lua
@@ -0,0 +1,33 @@
+local pl_path = require 'pl.path'
+
+local _M = {}
+
+do
+  -- Possible certificate files; stop after finding one.
+  -- copied from https://github.com/golang/go/blob/master/src/crypto/x509/root_linux.go#L9
+  local trusted_cert_files = {
+    "/etc/ssl/certs/ca-certificates.crt",                -- Debian/Ubuntu/Gentoo etc.
+    "/etc/pki/tls/certs/ca-bundle.crt",                  -- Fedora/RHEL 6
+    "/etc/ssl/ca-bundle.pem",                            -- OpenSUSE
+    "/etc/pki/tls/cacert.pem",                           -- OpenELEC
+    "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem", -- CentOS/RHEL 7
+    "/etc/ssl/cert.pem",                                 -- Alpine Linux
+  }
+
+  -- Load CA certs in order, the first one found will be used.
+  --   from context
+  --   from default system location
+  --   local APIcast ca-bundle (for backward compatible)
+  --
+  function _M.get_system_trusted_certs_filepath()
+    for _, path in ipairs(trusted_cert_files) do
+      if pl_path.exists(path) then
+        return path
+      end
+    end
+
+    return nil
+  end
+end
+
+return _M
diff --git a/spec/resty/system_spec.lua b/spec/resty/system_spec.lua
new file mode 100644
index 000000000..dd3de2b91
--- /dev/null
+++ b/spec/resty/system_spec.lua
@@ -0,0 +1,37 @@
+local system = require "resty.system"
+local pl_path = require "pl.path"
+
+describe("resty.system", function()
+  describe("get_system_trusted_certs_filepath", function ()
+    local old_exists = pl_path.exists
+    after_each(function()
+      pl_path.exists = old_exists
+    end)
+
+    it("retrieves the default filepath", function()
+      local tests = {
+        "/etc/ssl/certs/ca-certificates.crt",
+        "/etc/pki/tls/certs/ca-bundle.crt",
+        "/etc/ssl/ca-bundle.pem",
+        "/etc/pki/tls/cacert.pem",
+        "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem",
+        "/etc/ssl/cert.pem",
+      }
+      for _, test_path in pairs(tests) do
+        pl_path.exists = function(path)
+          return path == test_path
+        end
+        assert.same(test_path, system.get_system_trusted_certs_filepath())
+      end
+    end)
+
+    it("return nil if nothing found", function()
+      pl_path.exists = function(path)
+        return false
+      end
+
+      local ok = system.get_system_trusted_certs_filepath()
+      assert.is_nil(ok)
+    end)
+  end)
+end)