diff --git a/dirmngr/certcache.c b/dirmngr/certcache.c
index 5486997b6..87f605eab 100644
--- a/dirmngr/certcache.c
+++ b/dirmngr/certcache.c
@@ -721,6 +721,9 @@ cert_cache_init (strlist_t hkp_cacerts)
     load_certs_from_dir (fname, 0);
   xfree (fname);
 
+  /* Put the special pool certificate into our store.  This is
+   * currently only used with ntbtls.  For GnuTLS http_session_new
+   * unfortunately loads that certificate directly from the file.  */
   fname = make_filename_try (gnupg_datadir (),
                              "sks-keyservers.netCA.pem", NULL);
   if (fname)
diff --git a/dirmngr/http-ntbtls.c b/dirmngr/http-ntbtls.c
index 924b8b25f..ae5cf5519 100644
--- a/dirmngr/http-ntbtls.c
+++ b/dirmngr/http-ntbtls.c
@@ -77,8 +77,10 @@ gnupg_http_tls_verify_cb (void *opaque,
 
   validate_flags = VALIDATE_FLAG_TLS;
 
-  /* If we are using the standard hkps:// pool use the dedicated
-   * root certificate.  */
+  /* If we are using the standard hkps:// pool use the dedicated root
+   * certificate.  Note that this differes from the GnuTLS
+   * implementation which uses this special certificate only if no
+   * other certificates are configured. */
   hostname = ntbtls_get_hostname (tls);
   if (hostname
       && !ascii_strcasecmp (hostname, get_default_keyserver (1)))
diff --git a/dirmngr/http.c b/dirmngr/http.c
index f3d98e14b..bfbc30276 100644
--- a/dirmngr/http.c
+++ b/dirmngr/http.c
@@ -765,10 +765,9 @@ http_session_new (http_session_t *r_session,
                     && !ascii_strcasecmp (intended_hostname,
                                           get_default_keyserver (1)));
 
-    /* If the user has not specified a CA list, and they are looking
-     * for the hkps pool from sks-keyservers.net, then default to
-     * Kristian's certificate authority:  */
-    if (!tls_ca_certlist && is_hkps_pool)
+    /* If we are looking for the hkps pool from sks-keyservers.net,
+     * then forcefully use its dedicated certificate authority.  */
+    if (is_hkps_pool)
       {
         char *pemname = make_filename_try (gnupg_datadir (),
                                            "sks-keyservers.netCA.pem", NULL);
@@ -788,11 +787,12 @@ http_session_new (http_session_t *r_session,
             xfree (pemname);
           }
 
-        add_system_cas = 0;
+        if (is_hkps_pool)
+          add_system_cas = 0;
       }
 
     /* Add configured certificates to the session.  */
-    if ((flags & HTTP_FLAG_TRUST_DEF))
+    if ((flags & HTTP_FLAG_TRUST_DEF) && !is_hkps_pool)
       {
         for (sl = tls_ca_certlist; sl; sl = sl->next)
           {
@@ -803,7 +803,10 @@ http_session_new (http_session_t *r_session,
               log_info ("setting CA from file '%s' failed: %s\n",
                         sl->d, gnutls_strerror (rc));
           }
-        if (!tls_ca_certlist && !is_hkps_pool)
+
+        /* If HKP trust is requested and there are no HKP certificates
+         * configured, also try the standard system certificates.  */
+        if (!tls_ca_certlist)
           add_system_cas = 1;
       }
 
@@ -825,7 +828,7 @@ http_session_new (http_session_t *r_session,
       }
 
     /* Add other configured certificates to the session.  */
-    if ((flags & HTTP_FLAG_TRUST_CFG))
+    if ((flags & HTTP_FLAG_TRUST_CFG) && !is_hkps_pool)
       {
         for (sl = cfg_ca_certlist; sl; sl = sl->next)
           {