diff --git a/cmd/docker-trust/internal/registry/registry.go b/cmd/docker-trust/internal/registry/registry.go
index dce11dcc0691..e7c228490082 100644
--- a/cmd/docker-trust/internal/registry/registry.go
+++ b/cmd/docker-trust/internal/registry/registry.go
@@ -4,13 +4,13 @@ package registry
 import (
 	"context"
 	"crypto/tls"
+	"crypto/x509"
 	"fmt"
 	"net/http"
 	"os"
 	"path/filepath"
 
 	"github.com/docker/distribution/registry/client/transport"
-	"github.com/docker/go-connections/tlsconfig"
 	"github.com/sirupsen/logrus"
 )
 
@@ -48,7 +48,7 @@ func loadTLSConfig(ctx context.Context, directory string, tlsConfig *tls.Config)
 		switch filepath.Ext(f.Name()) {
 		case ".crt":
 			if tlsConfig.RootCAs == nil {
-				systemPool, err := tlsconfig.SystemCertPool()
+				systemPool, err := x509.SystemCertPool()
 				if err != nil {
 					return invalidParam(fmt.Errorf("unable to get system cert pool: %w", err))
 				}
diff --git a/internal/registry/registry.go b/internal/registry/registry.go
index 7832529ee671..667f129bc1e4 100644
--- a/internal/registry/registry.go
+++ b/internal/registry/registry.go
@@ -4,6 +4,7 @@ package registry
 import (
 	"context"
 	"crypto/tls"
+	"crypto/x509"
 	"fmt"
 	"net"
 	"net/http"
@@ -74,7 +75,7 @@ func loadTLSConfig(ctx context.Context, directory string, tlsConfig *tls.Config)
 		switch filepath.Ext(f.Name()) {
 		case ".crt":
 			if tlsConfig.RootCAs == nil {
-				systemPool, err := tlsconfig.SystemCertPool()
+				systemPool, err := x509.SystemCertPool()
 				if err != nil {
 					return invalidParam(fmt.Errorf("unable to get system cert pool: %w", err))
 				}