diff --git a/config/settings/base.py b/config/settings/base.py
index 5d2d61a98b86cf080e0e18409c1944045dac0556..98bc076a6f657f8112bc963a8fcb10e01c2b3226 100644
--- a/config/settings/base.py
+++ b/config/settings/base.py
@@ -274,6 +274,9 @@ X509_ISSUER_DN_HEADER = 'HTTP_SSL_CLIENT_I_DN'
 X509_CERT_HEADER = 'HTTP_X_FORWARDED_TLS_CLIENT_CERT'
 X509_INFOS_HEADER = 'HTTP_X_FORWARDED_TLS_CLIENT_CERT_INFOS'
 
+# Path to CA store for X509 certificate verification
+CAPATH = '/etc/grid-security/certificates'
+
 # List of authentication backends to use when attempting to authenticate
 # a user.  Will be used in this order.  Authentication for the API is
 # handled by the REST_FRAMEWORK dictionary.
diff --git a/gracedb/api/backends.py b/gracedb/api/backends.py
index 2d4dd5ff27b12d7b372f12238ae2dcbe50160724..02f6df9212fb2e3046807eef049b08a5d21c159a 100644
--- a/gracedb/api/backends.py
+++ b/gracedb/api/backends.py
@@ -249,16 +249,14 @@ class GraceDbX509FullCertAuthentication(GraceDbX509Authentication):
 
         return cert_der
 
-    def verify_certificate_chain(self, cert_data,
-        trusted_certs='/etc/grid-security/certificates'):
-
+    def verify_certificate_chain(self, cert_data, capath=settings.CAPATH):
         # Load certificate data
         certificate = OpenSSL.crypto.load_certificate(
             OpenSSL.crypto.FILETYPE_ASN1, cert_data)
 
         # Set up context and get certificate store 
         ctx = OpenSSL.SSL.Context(OpenSSL.SSL.TLSv1_METHOD)
-        ctx.load_verify_locations(None, capath=trusted_certs)
+        ctx.load_verify_locations(None, capath=capath)
         store = ctx.get_cert_store()
 
         # Verify certificate