diff --git a/pkg/api/client.go b/pkg/api/client.go
index 28dfdce..f4814d4 100644
--- a/pkg/api/client.go
+++ b/pkg/api/client.go
@@ -2,6 +2,8 @@ package api
 
 import (
 	"context"
+	"crypto/tls"
+	"crypto/x509"
 	"fmt"
 	"net"
 	"net/http"
@@ -30,14 +32,18 @@ type LoxiClient struct {
 // apiServer is string. what format? http://10.0.0.1 or 10.0.0.1
 func NewLoxiClient(apiServer string, aliveCh chan *LoxiClient, deadCh chan struct{}, peerOnly bool, noRole bool) (*LoxiClient, error) {
 
-	client := &http.Client{}
-
 	base, err := url.Parse(apiServer)
 	if err != nil {
 		fmt.Printf("failed to parse url %s. err: %s", apiServer, err.Error())
 		return nil, err
 	}
 
+	client, err := CreateHTTPClient(base)
+	if err != nil {
+		fmt.Printf("failed to create HTTP client: %v", err.Error())
+		return nil, err
+	}
+
 	restClient, err := NewRESTClient(base, "netlox", "v1", client)
 	if err != nil {
 		fmt.Printf("failed to call NewRESTClient. err: %s", err.Error())
@@ -70,6 +76,33 @@ func NewLoxiClient(apiServer string, aliveCh chan *LoxiClient, deadCh chan struc
 	return lc, nil
 }
 
+func CreateHTTPClient(baseURL *url.URL) (*http.Client, error) {
+
+	client := &http.Client{}
+
+	if baseURL.Scheme == "https" {
+
+		rootCAs, err := x509.SystemCertPool()
+		if err != nil || rootCAs == nil {
+			baseURL.Scheme = "http"
+			klog.Infof("HTTPS not supported: %s", baseURL)
+			return client, nil
+		}
+
+		tlsConfig := &tls.Config{
+			RootCAs:            rootCAs,
+			InsecureSkipVerify: false,
+		}
+
+		transport := &http.Transport{
+			TLSClientConfig: tlsConfig,
+		}
+		client.Transport = transport
+	}
+
+	return client, nil
+}
+
 func (l *LoxiClient) StartLoxiHealthCheckChan(aliveCh chan *LoxiClient, deadCh chan struct{}) {
 	l.IsAlive = false