diff --git a/src/usr.sbin/ntpd/constraint.c b/src/usr.sbin/ntpd/constraint.c
index b65ee446..68db1f7c 100644
--- a/src/usr.sbin/ntpd/constraint.c
+++ b/src/usr.sbin/ntpd/constraint.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: constraint.c,v 1.36 2018/11/05 00:13:36 jsing Exp $	*/
+/*	$OpenBSD: constraint.c,v 1.37 2018/11/06 20:41:36 jsing Exp $	*/
 
 /*
  * Copyright (c) 2015 Reyk Floeter <reyk@openbsd.org>
@@ -339,7 +339,7 @@ priv_constraint_child(const char *pw_dir, uid_t pw_uid, gid_t pw_gid)
 	/* Init TLS and load CA certs before chroot() */
 	if (tls_init() == -1)
 		fatalx("tls_init");
-	if ((conf->ca = tls_load_file(CONSTRAINT_CA,
+	if ((conf->ca = tls_load_file(TLS_CA_CERT_FILE,
 	    &conf->ca_len, NULL)) == NULL)
 		fatalx("failed to load constraint ca");
 
diff --git a/src/usr.sbin/ntpd/ntpd.c b/src/usr.sbin/ntpd/ntpd.c
index c646ec37..a3847c4f 100644
--- a/src/usr.sbin/ntpd/ntpd.c
+++ b/src/usr.sbin/ntpd/ntpd.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ntpd.c,v 1.117 2018/08/31 18:45:02 deraadt Exp $ */
+/*	$OpenBSD: ntpd.c,v 1.118 2018/11/06 20:41:36 jsing Exp $ */
 
 /*
  * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
@@ -31,6 +31,7 @@
 #include <stdlib.h>
 #include <string.h>
 #include <syslog.h>
+#include <tls.h>
 #include <time.h>
 #include <unistd.h>
 #include <fcntl.h>
@@ -247,7 +248,7 @@ main(int argc, char *argv[])
 	 * Constraint processes are forked with certificates in memory,
 	 * then privdrop into chroot before speaking to the outside world.
 	 */
-	if (unveil("/etc/ssl/cert.pem", "r") == -1)
+	if (unveil(TLS_CA_CERT_FILE, "r") == -1)
 		err(1, "unveil");
 	if (unveil("/usr/sbin/ntpd", "x") == -1)
 		err(1, "unveil");
diff --git a/src/usr.sbin/ntpd/ntpd.h b/src/usr.sbin/ntpd/ntpd.h
index deaf2a9a..0bb7f1bc 100644
--- a/src/usr.sbin/ntpd/ntpd.h
+++ b/src/usr.sbin/ntpd/ntpd.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ntpd.h,v 1.136 2018/08/04 11:07:14 mestre Exp $ */
+/*	$OpenBSD: ntpd.h,v 1.137 2018/11/06 20:41:36 jsing Exp $ */
 
 /*
  * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
@@ -80,7 +80,6 @@
 #define CONSTRAINT_PORT			"443"	/* HTTPS port */
 #define	CONSTRAINT_MAXHEADERLENGTH	8192
 #define CONSTRAINT_PASSFD		(STDERR_FILENO + 1)
-#define CONSTRAINT_CA			"/etc/ssl/cert.pem"
 
 #define PARENT_SOCK_FILENO		CONSTRAINT_PASSFD