diff --git a/ca/bootstrap.go b/ca/bootstrap.go
index 577e4aaa..fd91a0fe 100644
--- a/ca/bootstrap.go
+++ b/ca/bootstrap.go
@@ -87,6 +87,9 @@ func BootstrapServer(ctx context.Context, token string, base *http.Server, optio
 		return nil, err
 	}
 
+	// Make sure the tlsConfig have all supported roots
+	options = append(options, AddRootsToClientCAs(), AddRootsToRootCAs())
+
 	tlsConfig, err := client.GetServerTLSConfig(ctx, sign, pk, options...)
 	if err != nil {
 		return nil, err
@@ -130,6 +133,9 @@ func BootstrapClient(ctx context.Context, token string, options ...TLSOption) (*
 		return nil, err
 	}
 
+	// Make sure the tlsConfig have all supported roots
+	options = append(options, AddRootsToRootCAs())
+
 	transport, err := client.Transport(ctx, sign, pk, options...)
 	if err != nil {
 		return nil, err
diff --git a/ca/tls_options.go b/ca/tls_options.go
index 26eae156..2414b313 100644
--- a/ca/tls_options.go
+++ b/ca/tls_options.go
@@ -95,6 +95,8 @@ func AddClientCA(cert *x509.Certificate) TLSOption {
 // AddRootsToRootCAs does a roots request and adds to the tls.Config RootCAs all
 // the certificates in the response. RootCAs defines the set of root certificate
 // authorities that clients use when verifying server certificates.
+//
+// BootstrapServer and BootstrapClient methods include this option by default.
 func AddRootsToRootCAs() TLSOption {
 	return func(c *Client, tr http.RoundTripper, config *tls.Config) error {
 		certs, err := c.Roots(tr)
@@ -115,6 +117,8 @@ func AddRootsToRootCAs() TLSOption {
 // all the certificates in the response. ClientCAs defines the set of root
 // certificate authorities that servers use if required to verify a client
 // certificate by the policy in ClientAuth.
+//
+// BootstrapServer method includes this option by default.
 func AddRootsToClientCAs() TLSOption {
 	return func(c *Client, tr http.RoundTripper, config *tls.Config) error {
 		certs, err := c.Roots(tr)