diff --git a/src/core/bootstrap/mod.rs b/src/core/bootstrap/mod.rs
index 36c90db45..96cb29957 100644
--- a/src/core/bootstrap/mod.rs
+++ b/src/core/bootstrap/mod.rs
@@ -227,7 +227,7 @@ impl BootstrapManager {
         let pm = PackageManager::new(self.install_mode.clone(), self.tenant.clone())?;
 
         if pm.is_installed("vault") {
-            let vault_already_running = safe_sh_command("curl -f -sk 'https://localhost:8200/v1/sys/health?standbyok=true&uninitcode=200&sealedcode=200' >/dev/null 2>&1")
+            let vault_already_running = safe_sh_command("curl -f -sk --cert ./botserver-stack/conf/system/certificates/botserver/client.crt --key ./botserver-stack/conf/system/certificates/botserver/client.key 'https://localhost:8200/v1/sys/health?standbyok=true&uninitcode=200&sealedcode=200' >/dev/null 2>&1")
                 .map(|o| o.status.success())
                 .unwrap_or(false);
 
@@ -245,7 +245,7 @@ impl BootstrapManager {
                 }
 
                 for i in 0..10 {
-                    let vault_ready = safe_sh_command("curl -f -sk 'https://localhost:8200/v1/sys/health?standbyok=true&uninitcode=200&sealedcode=200' >/dev/null 2>&1")
+                    let vault_ready = safe_sh_command("curl -f -sk --cert ./botserver-stack/conf/system/certificates/botserver/client.crt --key ./botserver-stack/conf/system/certificates/botserver/client.key 'https://localhost:8200/v1/sys/health?standbyok=true&uninitcode=200&sealedcode=200' >/dev/null 2>&1")
                         .map(|o| o.status.success())
                         .unwrap_or(false);
 
@@ -436,7 +436,7 @@ impl BootstrapManager {
         }
 
         if installer.is_installed("vault") {
-            let vault_running = safe_sh_command("curl -f -sk 'https://localhost:8200/v1/sys/health?standbyok=true&uninitcode=200&sealedcode=200' >/dev/null 2>&1")
+            let vault_running = safe_sh_command("curl -f -sk --cert ./botserver-stack/conf/system/certificates/botserver/client.crt --key ./botserver-stack/conf/system/certificates/botserver/client.key 'https://localhost:8200/v1/sys/health?standbyok=true&uninitcode=200&sealedcode=200' >/dev/null 2>&1")
                 .map(|o| o.status.success())
                 .unwrap_or(false);
 
@@ -1403,7 +1403,7 @@ meet        IN      A       127.0.0.1
                 }
             }
 
-            let health_check = safe_curl(&["-f", "-sk", "https://localhost:8200/v1/sys/health?standbyok=true&uninitcode=200&sealedcode=200"]);
+            let health_check = safe_curl(&["-f", "-sk", "--cert", "./botserver-stack/conf/system/certificates/botserver/client.crt", "--key", "./botserver-stack/conf/system/certificates/botserver/client.key", "https://localhost:8200/v1/sys/health?standbyok=true&uninitcode=200&sealedcode=200"]);
 
             if let Some(output) = health_check {
                 if output.status.success() {
@@ -2098,6 +2098,7 @@ listener "tcp" {
   tls_disable   = false
   tls_cert_file = "../../conf/system/certificates/vault/server.crt"
   tls_key_file  = "../../conf/system/certificates/vault/server.key"
+  tls_client_ca_file = "../../conf/system/certificates/ca/ca.crt"
 }
 
 # API settings - use HTTPS
diff --git a/src/core/package_manager/installer.rs b/src/core/package_manager/installer.rs
index 0bf3cd1f5..81f0ecff6 100644
--- a/src/core/package_manager/installer.rs
+++ b/src/core/package_manager/installer.rs
@@ -912,6 +912,7 @@ listener "tcp" {
   tls_disable   = false
   tls_cert_file = "{{CONF_PATH}}/system/certificates/vault/server.crt"
   tls_key_file  = "{{CONF_PATH}}/system/certificates/vault/server.key"
+  tls_client_ca_file = "{{CONF_PATH}}/system/certificates/ca/ca.crt"
 }
 
 api_addr = "https://localhost:8200"
@@ -937,6 +938,7 @@ listener "tcp" {
   tls_disable   = false
   tls_cert_file = "{{CONF_PATH}}/system/certificates/vault/server.crt"
   tls_key_file  = "{{CONF_PATH}}/system/certificates/vault/server.key"
+  tls_client_ca_file = "{{CONF_PATH}}/system/certificates/ca/ca.crt"
 }
 
 api_addr = "https://localhost:8200"
@@ -963,7 +965,7 @@ EOF"#.to_string(),
                 data_download_list: Vec::new(),
                 exec_cmd: "nohup {{BIN_PATH}}/vault server -config={{CONF_PATH}}/vault/config.hcl > {{LOGS_PATH}}/vault.log 2>&1 &"
                     .to_string(),
-                check_cmd: "curl -f -sk --connect-timeout 2 -m 5 'https://localhost:8200/v1/sys/health?standbyok=true&uninitcode=200&sealedcode=200' >/dev/null 2>&1"
+                check_cmd: "curl -f -sk --connect-timeout 2 -m 5 --cert {{CONF_PATH}}/system/certificates/botserver/client.crt --key {{CONF_PATH}}/system/certificates/botserver/client.key 'https://localhost:8200/v1/sys/health?standbyok=true&uninitcode=200&sealedcode=200' >/dev/null 2>&1"
                     .to_string(),
             },
         );