diff --git a/src/AgApiClient.cpp b/src/AgApiClient.cpp
index b7b5bc8..8de2596 100644
--- a/src/AgApiClient.cpp
+++ b/src/AgApiClient.cpp
@@ -68,7 +68,7 @@ bool AgApiClient::fetchServerConfiguration(void) {
     }
   } else {
     // By default, airgradient using https
-    if (client.begin(uri, AIRGRADIENT_SERVER_CA) == false) {
+    if (client.begin(uri, AG_SERVER_ROOT_CA) == false) {
       logError("Begin HTTPClient using tls failed (GET)");
       getConfigFailed = true;
       return false;
@@ -143,7 +143,7 @@ bool AgApiClient::postToServer(String data) {
     }
   } else {
     // By default, airgradient using https
-    if (client.begin(uri, AIRGRADIENT_SERVER_CA) == false) {
+    if (client.begin(uri, AG_SERVER_ROOT_CA) == false) {
       logError("Begin HTTPClient using tls failed (POST)");
       getConfigFailed = true;
       return false;
diff --git a/src/AirGradient.h b/src/AirGradient.h
index edfa2f4..f580ed0 100644
--- a/src/AirGradient.h
+++ b/src/AirGradient.h
@@ -19,7 +19,8 @@
 #endif
 
 #ifndef ESP8266
-const char *const AIRGRADIENT_SERVER_CA =
+// Airgradient server root ca certificate
+const char *const AG_SERVER_ROOT_CA =
     "-----BEGIN CERTIFICATE-----\n"
     "MIIF4jCCA8oCCQD7MgvcaVWxkTANBgkqhkiG9w0BAQsFADCBsjELMAkGA1UEBhMC\n"
     "VEgxEzARBgNVBAgMCkNoaWFuZyBNYWkxEDAOBgNVBAcMB01hZSBSaW0xGTAXBgNV\n"
diff --git a/src/OtaHandler.cpp b/src/OtaHandler.cpp
index 84c2080..c451581 100644
--- a/src/OtaHandler.cpp
+++ b/src/OtaHandler.cpp
@@ -8,7 +8,7 @@ void OtaHandler::setHandlerCallback(OtaHandlerCallback_t callback) { _callback =
 
 void OtaHandler::updateFirmwareIfOutdated(String deviceId) {
   String url =
-      "http://hw.airgradient.com/sensors/airgradient:" + deviceId + "/generic/os/firmware.bin";
+      "https://hw.airgradient.com/sensors/airgradient:" + deviceId + "/generic/os/firmware.bin";
   url += "?current_firmware=";
   url += GIT_VERSION;
   char urlAsChar[URL_BUF_SIZE];
@@ -17,6 +17,7 @@ void OtaHandler::updateFirmwareIfOutdated(String deviceId) {
 
   esp_http_client_config_t config = {};
   config.url = urlAsChar;
+  config.cert_pem = AG_SERVER_ROOT_CA;
   OtaUpdateOutcome ret = attemptToPerformOta(&config);
   Serial.println(ret);
   if (_callback) {