diff --git a/forwarder.c b/forwarder.c
index d3c101c..3826fa5 100644
--- a/forwarder.c
+++ b/forwarder.c
@@ -235,15 +235,18 @@ forwarder_ub_ctx_init(struct pfresolved *env)
 			fatalx("%s: ub_ctx_set_tls failed: %s", __func__,
 			    ub_strerror(res));
 
-		/* include root certs from /etc/ssl/cert.pem */
-		if ((res = ub_ctx_set_option(ctx, "tls-system-cert:", "yes")) != 0)
-			fatalx("%s: ub_ctx_set_option tls-system-cert failed: %s",
-			    __func__, ub_strerror(res));
-
-		if (env->sc_cert_bundle && (res = ub_ctx_set_option(ctx,
-		    "tls-cert-bundle:", env->sc_cert_bundle)) != 0)
-			fatalx("%s: ub_ctx_set_option tls-cert-bundle failed: %s",
-			    __func__, ub_strerror(res));
+		if (env->sc_cert_bundle) {
+			if ((res = ub_ctx_set_option(ctx, "tls-cert-bundle:",
+			    env->sc_cert_bundle)) != 0)
+				fatalx("%s: ub_ctx_set_option tls-cert-bundle "
+				    "failed: %s", __func__, ub_strerror(res));
+		} else {
+			/* include root certs from /etc/ssl/cert.pem */
+			if ((res = ub_ctx_set_option(ctx, "tls-system-cert:",
+			    "yes")) != 0)
+				fatalx("%s: ub_ctx_set_option tls-system-cert "
+				    "failed: %s", __func__, ub_strerror(res));
+		}
 	}
 
 	if (env->sc_dnssec_level > DNSSEC_NONE) {
diff --git a/pfresolved.8 b/pfresolved.8
index 613cdc2..5efc0dd 100644
--- a/pfresolved.8
+++ b/pfresolved.8
@@ -122,8 +122,7 @@ Unsigned query results will be discarded.
 .It Fl T
 Enable DNS-over-TLS.
 The system certificates will be automatically included and used for
-authentication.
-An additional certificate bundle can be specified using
+authentication unless a certificate bundle is specified using
 .Fl C .
 .It Fl v
 Produce more verbose output.