diff --git a/CHANGES.md b/CHANGES.md
index 4cc0a0ef1..2ac80cccc 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -1,5 +1,6 @@
 ## Unreleased
 
+- cohttp-eio: Use system authenticator in example.
 - http, cohttp: remove the scheme field from requests. This means that
   [Request.uri] no longer returns the same URI as was to create the request
   with [Request.make] (@rgrinberg 1086)
diff --git a/cohttp-eio.opam b/cohttp-eio.opam
index f0331c184..facffb1db 100644
--- a/cohttp-eio.opam
+++ b/cohttp-eio.opam
@@ -30,6 +30,7 @@ depends: [
   "uri"
   "tls-eio" {with-test & >= "1.0.0"}
   "mirage-crypto-rng-eio" {with-test & >= "0.11.2"}
+  "ca-certs" {with-test & >= "1.0.0"}
   "fmt"
   "ptime"
   "http" {= version}
diff --git a/cohttp-eio/examples/client_tls.ml b/cohttp-eio/examples/client_tls.ml
index 9e7ee3a5b..7cc9983ac 100644
--- a/cohttp-eio/examples/client_tls.ml
+++ b/cohttp-eio/examples/client_tls.ml
@@ -1,13 +1,15 @@
 open Cohttp_eio
 
+let authenticator =
+  match Ca_certs.authenticator () with
+  | Ok x -> x
+  | Error (`Msg m) -> Fmt.failwith "Failed to create system store X509 authenticator: %s" m
+
 let () =
   Logs.set_reporter (Logs_fmt.reporter ());
   Logs_threaded.enable ();
   Logs.Src.set_level Cohttp_eio.src (Some Debug)
 
-let null_auth ?ip:_ ~host:_ _ =
-  Ok None (* Warning: use a real authenticator in your code! *)
-
 let https ~authenticator =
   let tls_config =
     match Tls.Config.client ~authenticator () with
@@ -25,7 +27,7 @@ let () =
   Eio_main.run @@ fun env ->
   Mirage_crypto_rng_eio.run (module Mirage_crypto_rng.Fortuna) env @@ fun () ->
   let client =
-    Client.make ~https:(Some (https ~authenticator:null_auth)) env#net
+    Client.make ~https:(Some (https ~authenticator)) env#net
   in
   Eio.Switch.run @@ fun sw ->
   let resp, body =
diff --git a/cohttp-eio/examples/dune b/cohttp-eio/examples/dune
index 045cadb9a..9b0f20751 100644
--- a/cohttp-eio/examples/dune
+++ b/cohttp-eio/examples/dune
@@ -9,6 +9,7 @@
   logs.fmt
   logs.threaded
   tls-eio
+  ca-certs
   mirage-crypto-rng-eio))
 
 (alias
diff --git a/dune-project b/dune-project
index c3657fe7c..0962c6c3a 100644
--- a/dune-project
+++ b/dune-project
@@ -381,6 +381,7 @@
   uri
   (tls-eio (and :with-test (>= 1.0.0)))
   (mirage-crypto-rng-eio (and :with-test (>= 0.11.2)))
+  (ca-certs (and :with-test  (>= "1.0.0")))
   fmt
   ptime
   (http