diff --git a/tlsconfig/certpool.go b/tlsconfig/certpool.go
index f84c624b..803f1e12 100644
--- a/tlsconfig/certpool.go
+++ b/tlsconfig/certpool.go
@@ -1,16 +1,12 @@
 package tlsconfig
 
-import (
-	"crypto/x509"
-	"runtime"
-)
+import "crypto/x509"
 
-// SystemCertPool returns a copy of the system cert pool,
-// returns an error if failed to load or empty pool on windows.
+// SystemCertPool returns a copy of the system cert pool.
+//
+// Deprecated: use [x509.SystemCertPool] instead.
+//
+//go:fix inline
 func SystemCertPool() (*x509.CertPool, error) {
-	certpool, err := x509.SystemCertPool()
-	if err != nil && runtime.GOOS == "windows" {
-		return x509.NewCertPool(), nil
-	}
-	return certpool, err
+	return x509.SystemCertPool()
 }
diff --git a/tlsconfig/config.go b/tlsconfig/config.go
index 8b0264f6..aeb00051 100644
--- a/tlsconfig/config.go
+++ b/tlsconfig/config.go
@@ -84,7 +84,7 @@ func certPool(caFile string, exclusivePool bool) (*x509.CertPool, error) {
 	if exclusivePool {
 		pool = x509.NewCertPool()
 	} else {
-		pool, err = SystemCertPool()
+		pool, err = x509.SystemCertPool()
 		if err != nil {
 			return nil, fmt.Errorf("failed to read system certificates: %v", err)
 		}
diff --git a/tlsconfig/config_test.go b/tlsconfig/config_test.go
index e2f61255..8a74464c 100644
--- a/tlsconfig/config_test.go
+++ b/tlsconfig/config_test.go
@@ -183,9 +183,9 @@ func TestConfigServerTLSClientCASet(t *testing.T) {
 	if tlsConfig.ClientAuth != tls.VerifyClientCertIfGiven {
 		t.Fatal("ClientAuth was not set to what was in the options")
 	}
-	basePool, err := SystemCertPool()
+	basePool, err := x509.SystemCertPool()
 	if err != nil {
-		basePool = x509.NewCertPool()
+		t.Fatal("Failed to get SystemCertPool", err)
 	}
 	// because we are not enabling `ExclusiveRootPools`, any root pool will also contain the system roots
 	if tlsConfig.ClientCAs == nil || len(tlsConfig.ClientCAs.Subjects()) != len(basePool.Subjects())+2 { //nolint:staticcheck // Ignore SA1019: tlsConfig.ClientCAs.Subjects has been deprecated since Go 1.18: if s was returned by SystemCertPool, Subjects will not include the system roots.
@@ -441,9 +441,9 @@ func TestConfigClientTLSRootCAFileWithOneCert(t *testing.T) {
 	if err != nil || tlsConfig == nil {
 		t.Fatal("Unable to configure client TLS", err)
 	}
-	basePool, err := SystemCertPool()
+	basePool, err := x509.SystemCertPool()
 	if err != nil {
-		basePool = x509.NewCertPool()
+		t.Fatal("Failed to get SystemCertPool", err)
 	}
 	// because we are not enabling `ExclusiveRootPools`, any root pool will also contain the system roots
 	if tlsConfig.RootCAs == nil || len(tlsConfig.RootCAs.Subjects()) != len(basePool.Subjects())+2 { //nolint:staticcheck // Ignore SA1019: tlsConfig.ClientCAs.Subjects has been deprecated since Go 1.18: if s was returned by SystemCertPool, Subjects will not include the system roots.