diff --git a/src/main/java/org/jruby/ext/openssl/x509store/X509Utils.java b/src/main/java/org/jruby/ext/openssl/x509store/X509Utils.java
index 1d1ab657..f2b318bd 100644
--- a/src/main/java/org/jruby/ext/openssl/x509store/X509Utils.java
+++ b/src/main/java/org/jruby/ext/openssl/x509store/X509Utils.java
@@ -294,45 +294,59 @@ else if ( keyUsage != null && ! keyUsage[5] ) { // KU_KEY_CERT_SIGN
 
     static {
         // roughly following the ideas from https://www.happyassassin.net/2015/01/12/a-note-about-ssltls-trusted-certificate-stores-and-platforms/
-        // and falling back to trust store from java to be on the save side 
-        
+        // and falling back to trust store from java to be on the save side
+
         // TODO usability in limited environments should be tested/reviewed
         final String JAVA_HOME = SafePropertyAccessor.getProperty("java.home", "");
 
         // if the default files/dirs exist we use them. with this a switch
         // from MRI to JRuby produces the same results. otherwise we use the
         // certs from JAVA_HOME.
-        final String MAYBE_CERT_FILE;
         final String LINUX_CERT_AREA = "/etc/ssl";
         final String MACOS_CERT_AREA = "/System/Library/OpenSSL";
-        final String MAYBE_PKI_CERT_FILE = "/etc/pki/tls/certs/ca-bundle.crt";
-        if (new File(LINUX_CERT_AREA).exists()) {
-            X509_CERT_AREA = LINUX_CERT_AREA;
-            X509_CERT_DIR = X509_CERT_AREA + "/certs";
-            X509_PRIVATE_DIR = X509_CERT_AREA + "/private";
-            MAYBE_CERT_FILE = X509_CERT_DIR + "/cert.pem";
-        }
-        else if (new File(MACOS_CERT_AREA).exists()) {
-            X509_CERT_AREA = MACOS_CERT_AREA;
-            X509_CERT_DIR = X509_CERT_AREA + "/certs";
-            X509_PRIVATE_DIR = X509_CERT_AREA + "/private";
-            MAYBE_CERT_FILE = X509_CERT_AREA + "/cert.pem";
+
+        String certArea, certDir, privateDir;
+        String maybeCertFile;
+        String maybePkiCertFile = "/etc/pki/tls/certs/ca-bundle.crt";
+        try {
+            if (new File(LINUX_CERT_AREA).exists()) {
+                certArea = LINUX_CERT_AREA;
+                certDir = certArea + "/certs";
+                privateDir = certArea + "/private";
+                maybeCertFile = certDir + "/cert.pem";
+            }
+            else if (new File(MACOS_CERT_AREA).exists()) {
+                certArea = MACOS_CERT_AREA;
+                certDir = certArea + "/certs";
+                privateDir = certArea + "/private";
+                maybeCertFile = certArea + "/cert.pem";
+            }
+            else {
+                certArea = JAVA_HOME + "/lib/security";
+                certDir = certArea;
+                privateDir = certArea;
+                maybeCertFile = maybePkiCertFile;
+            }
         }
-        else {
-            X509_CERT_AREA = JAVA_HOME + "/lib/security";
-            X509_CERT_DIR = X509_CERT_AREA;
-            X509_PRIVATE_DIR = X509_CERT_AREA;
-            MAYBE_CERT_FILE = MAYBE_PKI_CERT_FILE;
+        catch (SecurityException e) {
+            maybeCertFile = null; maybePkiCertFile = null;
+            privateDir = certDir = certArea = JAVA_HOME + "/lib/security";
         }
-        if (new File(MAYBE_PKI_CERT_FILE).exists()) {
-            X509_CERT_FILE = MAYBE_PKI_CERT_FILE;
+
+        X509_CERT_AREA = certArea;
+        X509_CERT_DIR = certDir;
+        X509_PRIVATE_DIR = privateDir;
+
+        if (maybePkiCertFile != null && new File(maybePkiCertFile).exists()) {
+            X509_CERT_FILE = maybePkiCertFile;
         }
-        else if (new File(MAYBE_CERT_FILE).exists()) {
-            X509_CERT_FILE = MAYBE_CERT_FILE;
+        else if (maybeCertFile != null && new File(maybeCertFile).exists()) {
+            X509_CERT_FILE = maybeCertFile;
         }
         else {
             X509_CERT_FILE = JAVA_HOME + "/lib/security/cacerts";
         }
+
         // keep it with some meaninful content as it is a public constant
         OPENSSLDIR = X509_CERT_AREA;
     }