diff --git a/CHANGES.txt b/CHANGES.txt
index b9fa73a57..a9143dd76 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -45,6 +45,9 @@
   until their removal in pip v1.8. For more information please see
   https://pip.pypa.io/en/latest/reference/pip_install.html#caching
 
+* Fixed :issue:`1680`. Attempt to locate system TLS certificates to use instead
+  of the included CA Bundle if possible. (:pull:`1866`)
+
 
 **1.5.7**
 
diff --git a/pip/cmdoptions.py b/pip/cmdoptions.py
index 3982dc2a8..1b17ad935 100644
--- a/pip/cmdoptions.py
+++ b/pip/cmdoptions.py
@@ -10,7 +10,7 @@ pass on state. To be consistent, all options will follow this design.
 import copy
 from optparse import OptionGroup, SUPPRESS_HELP, Option
 from pip.locations import (
-    USER_CACHE_DIR, build_prefix, default_log_file, src_prefix,
+    CA_BUNDLE_PATH, USER_CACHE_DIR, build_prefix, default_log_file, src_prefix,
 )
 
 
@@ -164,7 +164,7 @@ cert = OptionMaker(
     '--cert',
     dest='cert',
     type='str',
-    default='',
+    default=CA_BUNDLE_PATH,
     metavar='path',
     help="Path to alternate CA bundle.")
 
diff --git a/pip/locations.py b/pip/locations.py
index 65393a15f..8adadbee2 100644
--- a/pip/locations.py
+++ b/pip/locations.py
@@ -2,6 +2,7 @@
 
 import getpass
 import os
+import os.path
 import site
 import sys
 import tempfile
@@ -11,12 +12,46 @@ from distutils.command.install import install, SCHEME_KEYS
 
 from pip import appdirs
 from pip.compat import get_path_uid
+
 import pip.exceptions
 
 
 # Hack for flake8
 install
 
+
+# CA Bundle Locations
+CA_BUNDLE_PATHS = [
+    # Debian/Ubuntu/Gentoo etc.
+    "/etc/ssl/certs/ca-certificates.crt",
+
+    # Fedora/RHEL
+    "/etc/pki/tls/certs/ca-bundle.crt",
+
+    # OpenSUSE
+    "/etc/ssl/ca-bundle.pem",
+
+    # OpenBSD
+    "/etc/ssl/cert.pem",
+
+    # FreeBSD/DragonFly
+    "/usr/local/share/certs/ca-root-nss.crt",
+
+    # Homebrew on OSX
+    "/usr/local/etc/openssl/cert.pem",
+]
+
+# Attempt to locate a CA Bundle that we can pass into requests, we have a list
+# of possible ones from various systems. If we cannot find one then we'll set
+# this to None so that we default to whatever requests is setup to handle.
+#
+# Note to Downstream: If you wish to disable this autodetection and simply use
+#                     whatever requests does (likely you've already patched
+#                     requests.certs.where()) then simply edit this line so
+#                     that it reads ``CA_BUNDLE_PATH = None``.
+CA_BUNDLE_PATH = next((x for x in CA_BUNDLE_PATHS if os.path.exists(x)), None)
+
+
 # Application Directories
 USER_CACHE_DIR = appdirs.user_cache_dir("pip")