diff --git a/ocaml/libs/stunnel/stunnel.ml b/ocaml/libs/stunnel/stunnel.ml
index 1b6e9c3ee1..5f005ba811 100644
--- a/ocaml/libs/stunnel/stunnel.ml
+++ b/ocaml/libs/stunnel/stunnel.ml
@@ -149,6 +149,8 @@ let pool =
   ; cert_bundle_path= "/etc/stunnel/xapi-pool-ca-bundle.pem"
   }
 
+let world = {appliance with cert_bundle_path= "/etc/ssl/certs/ca-bundle.crt"}
+
 let external_host ext_host_cert_file =
   {sni= None; verify= VerifyPeer; cert_bundle_path= ext_host_cert_file}
 
diff --git a/ocaml/libs/stunnel/stunnel.mli b/ocaml/libs/stunnel/stunnel.mli
index ac7d08a0af..bfb7710e3b 100644
--- a/ocaml/libs/stunnel/stunnel.mli
+++ b/ocaml/libs/stunnel/stunnel.mli
@@ -59,6 +59,8 @@ val appliance : verification_config
 
 val pool : verification_config
 
+val world : verification_config
+
 val external_host : string -> verification_config
 
 val with_connect :
diff --git a/ocaml/libs/stunnel/stunnel_client.ml b/ocaml/libs/stunnel/stunnel_client.ml
index b6329a0e04..aa9391d613 100644
--- a/ocaml/libs/stunnel/stunnel_client.ml
+++ b/ocaml/libs/stunnel/stunnel_client.ml
@@ -33,5 +33,7 @@ let pool () = get_verification_config Stunnel.pool
 
 let appliance () = get_verification_config Stunnel.appliance
 
+let world () = get_verification_config Stunnel.world
+
 let external_host cert_file =
   Stunnel.external_host cert_file |> get_verification_config
diff --git a/ocaml/libs/stunnel/stunnel_client.mli b/ocaml/libs/stunnel/stunnel_client.mli
index b3dd0392bf..ab9cb297e6 100644
--- a/ocaml/libs/stunnel/stunnel_client.mli
+++ b/ocaml/libs/stunnel/stunnel_client.mli
@@ -17,7 +17,19 @@ val get_verify_by_default : unit -> bool
 val set_verify_by_default : bool -> unit
 
 val pool : unit -> Stunnel.verification_config option
+(** [pool ()] returns the configuration that's meant to be used to connect to
+    other xapi hosts in the pool *)
 
 val appliance : unit -> Stunnel.verification_config option
+(** [appliance ()] returns the configuration that's meant to be used to connect
+    to appliances providing services, like WLB or a licensing server. *)
+
+val world : unit -> Stunnel.verification_config option
+(** [world ()] returns the configuration that performs chain
+    verification using the system's default CA trust store
+    (/etc/ssl/certs/ca-bundle.crt). *)
 
 val external_host : string -> Stunnel.verification_config option
+(** [external_host path] returns the configuration that's meant to be used to connect to
+    a xapi hosts outside the pool. This is useful, for example, to provide an
+    update repository to download updates from. *)
diff --git a/ocaml/xapi/xapi_vm.ml b/ocaml/xapi/xapi_vm.ml
index 2d4595b6db..44a0b2c555 100644
--- a/ocaml/xapi/xapi_vm.ml
+++ b/ocaml/xapi/xapi_vm.ml
@@ -1557,7 +1557,8 @@ let rec import_inner n ~__context ~url ~sr ~full_restore ~force =
   else
     let uri = Uri.of_string url in
     try
-      Open_uri.with_open_uri uri (fun fd ->
+      let verify_cert = Stunnel_client.world () in
+      Open_uri.with_open_uri ~verify_cert uri (fun fd ->
           let module Request =
             Cohttp.Request.Make (Cohttp_posix_io.Unbuffered_IO) in
           let module Response =