diff --git a/docker/base/Dockerfile.j2 b/docker/base/Dockerfile.j2
index 6b4d5dd6e5..170885346f 100644
--- a/docker/base/Dockerfile.j2
+++ b/docker/base/Dockerfile.j2
@@ -230,6 +230,7 @@ RUN yum-config-manager --enable rhel-7-server-optional-rpms \
 {% block base_redhat_binary_versionlock %}{% endblock %}
     {% if install_type == 'binary' %}
 {% set base_centos_binary_packages = [
+        'ca-certificates',
         'findutils',
         'iproute',
         'iscsi-initiator-utils',
@@ -259,6 +260,7 @@ RUN yum-config-manager --enable rhel-7-server-optional-rpms \
     {% if install_type == 'source' %}
 
 {% set base_centos_source_packages = [
+    'ca-certificates',
     'curl',
     'iproute',
     'iscsi-initiator-utils',
@@ -429,6 +431,7 @@ RUN sed -i -e "s+#\!/usr/bin/env python+#\!/usr/bin/env python3+g" /usr/local/bi
 {% endif %}
 
 COPY start.sh /usr/local/bin/kolla_start
+COPY copy_cacerts.sh /usr/local/bin/kolla_copy_cacerts
 COPY sudoers /etc/sudoers
 COPY curlrc /root/.curlrc
 
@@ -461,7 +464,7 @@ ENTRYPOINT ["dumb-init", "--single-child", "--"]
 {% endif %}
 
 RUN touch /usr/local/bin/kolla_extend_start \
-    && chmod 755 /usr/local/bin/kolla_start /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_set_configs \
+    && chmod 755 /usr/local/bin/kolla_start /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_set_configs /usr/local/bin/kolla_copy_cacerts \
     && chmod 440 /etc/sudoers \
     && mkdir -p /var/log/kolla \
     && chown :kolla /var/log/kolla \
diff --git a/docker/base/copy_cacerts.sh b/docker/base/copy_cacerts.sh
new file mode 100644
index 0000000000..aa0dd679a4
--- /dev/null
+++ b/docker/base/copy_cacerts.sh
@@ -0,0 +1,27 @@
+#!/bin/bash
+
+# Copy custom CA certificates to system trusted CA certificates folder
+# and run CA update utility
+
+# Remove old certificates
+rm -f /usr/local/share/ca-certificates/kolla-customca-* \
+        /etc/pki/ca-trust/source/anchors/kolla-customca-*
+
+if [[ -d /var/lib/kolla/config_files/ca-certificates ]] && \
+        [[ ! -z "$(ls -A /var/lib/kolla/config_files/ca-certificates/)" ]]; then
+    if [[ -e /etc/debian_version ]]; then
+        # Debian, Ubuntu
+        for cert in /var/lib/kolla/config_files/ca-certificates/*; do
+            file=$(basename "$cert")
+            cp $cert "/usr/local/share/ca-certificates/kolla-customca-$file"
+        done
+        update-ca-certificates
+    elif [[ -e /etc/redhat-release ]]; then
+        # CentOS, RHEL
+        for cert in /var/lib/kolla/config_files/ca-certificates/*; do
+            file=$(basename "$cert")
+            cp $cert "/etc/pki/ca-trust/source/anchors/kolla-customca-$file"
+        done
+        update-ca-trust
+    fi
+fi
diff --git a/docker/base/start.sh b/docker/base/start.sh
index 34a6e5397d..b7ecc22aec 100644
--- a/docker/base/start.sh
+++ b/docker/base/start.sh
@@ -9,6 +9,9 @@ sudo -E kolla_set_configs
 CMD=$(cat /run_command)
 ARGS=""
 
+# Install/remove custom CA certificates
+sudo kolla_copy_cacerts
+
 if [[ ! "${!KOLLA_SKIP_EXTEND_START[@]}" ]]; then
     # Run additional commands if present
     . kolla_extend_start
diff --git a/docker/base/sudoers b/docker/base/sudoers
index 76baefcb07..da9c04c302 100644
--- a/docker/base/sudoers
+++ b/docker/base/sudoers
@@ -15,4 +15,7 @@ root ALL=(ALL) ALL
 # root user via sudo without password confirmation
 %kolla ALL=(root) NOPASSWD: /usr/local/bin/kolla_set_configs
 
+# Copy custom CA certificates to containers
+%kolla ALL=(root) NOPASSWD: /usr/local/bin/kolla_copy_cacerts
+
 #includedir /etc/sudoers.d