diff --git a/ci_scripts/setup-keyring-servers.sh b/ci_scripts/setup-keyring-servers.sh
index 356d98b586c..962f8592443 100755
--- a/ci_scripts/setup-keyring-servers.sh
+++ b/ci_scripts/setup-keyring-servers.sh
@@ -17,12 +17,14 @@ cd ..
 echo $SCRIPT_DIR
 pykmip-server -f "$SCRIPT_DIR/../contrib/pg_tde/pykmip-server.conf" -l /tmp/kmip-server.log &
 
-TV=$(mktemp)
-{ exec >$TV; vault server -dev; } &
+CLUSTER_INFO=$(mktemp)
+vault server -dev -dev-tls -dev-cluster-json="$CLUSTER_INFO" > /dev/null &
 sleep 10
-export ROOT_TOKEN_FILE=$(mktemp)
-cat $TV | grep "Root Token" | cut -d ":" -f 2 | xargs echo -n > $ROOT_TOKEN_FILE
-echo "export ROOT_TOKEN_FILE=$ROOT_TOKEN_FILE"
+export VAULT_ROOT_TOKEN_FILE=$(mktemp)
+jq -r .root_token "$CLUSTER_INFO" > "$VAULT_ROOT_TOKEN_FILE"
+export VAULT_CACERT_FILE=$(jq -r .ca_cert_path "$CLUSTER_INFO")
+rm "$CLUSTER_INFO"
 if [ -v GITHUB_ACTIONS ]; then
-    echo "ROOT_TOKEN_FILE=$ROOT_TOKEN_FILE" >> $GITHUB_ENV
+    echo "VAULT_ROOT_TOKEN_FILE=$VAULT_ROOT_TOKEN_FILE" >> $GITHUB_ENV
+    echo "VAULT_CACERT_FILE=$VAULT_CACERT_FILE" >> $GITHUB_ENV
 fi
diff --git a/contrib/pg_tde/expected/vault_v2_test.out b/contrib/pg_tde/expected/vault_v2_test.out
index 0dc4a637b53..291d230dd1d 100644
--- a/contrib/pg_tde/expected/vault_v2_test.out
+++ b/contrib/pg_tde/expected/vault_v2_test.out
@@ -1,6 +1,7 @@
 CREATE EXTENSION IF NOT EXISTS pg_tde;
-\getenv root_token_file ROOT_TOKEN_FILE
-SELECT pg_tde_add_database_key_provider_vault_v2('vault-incorrect',:'root_token_file','http://127.0.0.1:8200','DUMMY-TOKEN',NULL);
+\getenv root_token_file VAULT_ROOT_TOKEN_FILE
+\getenv cacert_file VAULT_CACERT_FILE
+SELECT pg_tde_add_database_key_provider_vault_v2('vault-incorrect',:'root_token_file','https://127.0.0.1:8200','DUMMY-TOKEN',:'cacert_file');
  pg_tde_add_database_key_provider_vault_v2 
 -------------------------------------------
  
@@ -16,7 +17,7 @@ CREATE TABLE test_enc(
 	) USING tde_heap;
 ERROR:  principal key not configured
 HINT:  create one using pg_tde_set_key before using encrypted tables
-SELECT pg_tde_add_database_key_provider_vault_v2('vault-v2',:'root_token_file','http://127.0.0.1:8200','secret',NULL);
+SELECT pg_tde_add_database_key_provider_vault_v2('vault-v2',:'root_token_file','https://127.0.0.1:8200','secret',:'cacert_file');
  pg_tde_add_database_key_provider_vault_v2 
 -------------------------------------------
  
@@ -52,9 +53,15 @@ SELECT pg_tde_verify_key();
 
 DROP TABLE test_enc;
 -- Creating provider fails if we can't connect to vault
-SELECT pg_tde_add_database_key_provider_vault_v2('will-not-work', :'root_token_file', 'http://127.0.0.1:61', 'secret', NULL);
+SELECT pg_tde_add_database_key_provider_vault_v2('will-not-work', :'root_token_file', 'https://127.0.0.1:61', 'secret', :'cacert_file');
 ERROR:  HTTP(S) request to keyring provider "will-not-work" failed
 -- Changing provider fails if we can't connect to vault
-SELECT pg_tde_change_database_key_provider_vault_v2('vault-v2', :'root_token_file', 'http://127.0.0.1:61', 'secret', NULL);
+SELECT pg_tde_change_database_key_provider_vault_v2('vault-v2', :'root_token_file', 'https://127.0.0.1:61', 'secret', :'cacert_file');
 ERROR:  HTTP(S) request to keyring provider "vault-v2" failed
+-- HTTPS without cert fails
+SELECT pg_tde_change_database_key_provider_vault_v2('vault-v2', :'root_token_file', 'https://127.0.0.1:8200', 'secret', NULL);
+ERROR:  HTTP(S) request to keyring provider "vault-v2" failed
+-- HTTP against HTTPS server fails
+SELECT pg_tde_change_database_key_provider_vault_v2('vault-v2', :'root_token_file', 'http://127.0.0.1:8200', 'secret', NULL);
+ERROR:  Listing secrets of "http://127.0.0.1:8200" at mountpoint "secret" failed
 DROP EXTENSION pg_tde;
diff --git a/contrib/pg_tde/sql/vault_v2_test.sql b/contrib/pg_tde/sql/vault_v2_test.sql
index 78c8c6e434c..a1f5a92233d 100644
--- a/contrib/pg_tde/sql/vault_v2_test.sql
+++ b/contrib/pg_tde/sql/vault_v2_test.sql
@@ -1,8 +1,9 @@
 CREATE EXTENSION IF NOT EXISTS pg_tde;
 
-\getenv root_token_file ROOT_TOKEN_FILE
+\getenv root_token_file VAULT_ROOT_TOKEN_FILE
+\getenv cacert_file VAULT_CACERT_FILE
 
-SELECT pg_tde_add_database_key_provider_vault_v2('vault-incorrect',:'root_token_file','http://127.0.0.1:8200','DUMMY-TOKEN',NULL);
+SELECT pg_tde_add_database_key_provider_vault_v2('vault-incorrect',:'root_token_file','https://127.0.0.1:8200','DUMMY-TOKEN',:'cacert_file');
 -- FAILS
 SELECT pg_tde_set_key_using_database_key_provider('vault-v2-key','vault-incorrect');
 
@@ -12,7 +13,7 @@ CREATE TABLE test_enc(
 	  PRIMARY KEY (id)
 	) USING tde_heap;
 
-SELECT pg_tde_add_database_key_provider_vault_v2('vault-v2',:'root_token_file','http://127.0.0.1:8200','secret',NULL);
+SELECT pg_tde_add_database_key_provider_vault_v2('vault-v2',:'root_token_file','https://127.0.0.1:8200','secret',:'cacert_file');
 SELECT pg_tde_set_key_using_database_key_provider('vault-v2-key','vault-v2');
 
 CREATE TABLE test_enc(
@@ -32,9 +33,15 @@ SELECT pg_tde_verify_key();
 DROP TABLE test_enc;
 
 -- Creating provider fails if we can't connect to vault
-SELECT pg_tde_add_database_key_provider_vault_v2('will-not-work', :'root_token_file', 'http://127.0.0.1:61', 'secret', NULL);
+SELECT pg_tde_add_database_key_provider_vault_v2('will-not-work', :'root_token_file', 'https://127.0.0.1:61', 'secret', :'cacert_file');
 
 -- Changing provider fails if we can't connect to vault
-SELECT pg_tde_change_database_key_provider_vault_v2('vault-v2', :'root_token_file', 'http://127.0.0.1:61', 'secret', NULL);
+SELECT pg_tde_change_database_key_provider_vault_v2('vault-v2', :'root_token_file', 'https://127.0.0.1:61', 'secret', :'cacert_file');
+
+-- HTTPS without cert fails
+SELECT pg_tde_change_database_key_provider_vault_v2('vault-v2', :'root_token_file', 'https://127.0.0.1:8200', 'secret', NULL);
+
+-- HTTP against HTTPS server fails
+SELECT pg_tde_change_database_key_provider_vault_v2('vault-v2', :'root_token_file', 'http://127.0.0.1:8200', 'secret', NULL);
 
 DROP EXTENSION pg_tde;