At the moment to use SSL certificate verification with the urllib3 backend, the docs say to:

• pass verify_certs=True
• either set ca_certs to the location of the system root certificates, or else install certifi and use:

import certifi es = Elasticsearch( # ... ca_certs=certifi.where(), )

Ideally it would be better to automatically use the value from certifi.where() if certifi is available (and the user hadn't set ca_certs themselves) - avoiding the need for the boilerplate above.

The elasticsearch-py docs could then be simplified to say something like:
"To enable certificate verification, install certifi and pass verify_certs=True, or manually pass your own certificates like so..."

This would be similar to the requests library behaviour (except instead of falling back to the vendored version, it would fall back to None):
https://github.com/kennethreitz/requests/blob/v2.10.0/requests/certs.py#L17

This could also pave the way in the future to inverting the value for verify_certs and actually having it enabled by default (or at least by default iff certifi is found).

I'm happy to open a PR if this would be accepted?