diff --git a/playbookconfig/playbookconfig/playbooks/bootstrap/host_vars/default.yml b/playbookconfig/playbookconfig/playbooks/bootstrap/host_vars/default.yml
index 86193757e..1561c04f3 100644
--- a/playbookconfig/playbookconfig/playbooks/bootstrap/host_vars/default.yml
+++ b/playbookconfig/playbookconfig/playbooks/bootstrap/host_vars/default.yml
@@ -130,6 +130,22 @@ docker_registries:
 
 #is_secure_registry: True
 
+# Certificates
+# =================
+#
+# These values provide a means to install certificates onto the system.
+# For example the ssl_ca_cert parameter may be used to install a trusted CA to
+# the system. A trusted CA certificate will be required if the end user
+# configures a private docker registry that is signed by an unknown Certificate
+# Authority.
+#
+# The certificate value is the absolute path of the certificate file.
+# The certificate must be in PEM format.
+# The supported certificates are:
+#   - ssl_ca_cert
+#
+#ssl_ca_cert: /path/to/ssl_ca_cert_file
+
 # ADMIN CREDENTIALS
 # =================
 #
diff --git a/playbookconfig/playbookconfig/playbooks/bootstrap/roles/persist-config/tasks/main.yml b/playbookconfig/playbookconfig/playbooks/bootstrap/roles/persist-config/tasks/main.yml
index 190b3883f..4934c2ec7 100644
--- a/playbookconfig/playbookconfig/playbooks/bootstrap/roles/persist-config/tasks/main.yml
+++ b/playbookconfig/playbookconfig/playbooks/bootstrap/roles/persist-config/tasks/main.yml
@@ -186,6 +186,34 @@
 
   when: save_config
 
+- block:
+  - name: Copy ssl_ca certificate
+    copy:
+     src: "{{ ssl_ca_cert }}"
+     dest: "{{ temp_ssl_ca }}"
+
+  - name: Remove ssl_ca complete flag
+    file:
+      path: "{{ ssl_ca_complete_flag }}"
+      state: absent
+
+  - name: Add ssl_ca certificate
+    shell: source /etc/platform/openrc; system certificate-install -m ssl_ca {{ temp_ssl_ca }}
+
+  - name: Wait for certificate install
+    wait_for:
+      path: "{{ ssl_ca_complete_flag }}"
+      state: present
+      timeout: 360
+      msg: Timeout waiting for ssl_ca certificate install
+
+  - name: Cleanup temporary certificate
+    file:
+      path: "{{ temp_ssl_ca }}"
+      state: absent
+
+  when: ssl_ca_cert is defined and ssl_ca_cert
+
 # PXE boot files
 - name: Set pxeboot files source if address allocation is dynamic
   set_fact:
diff --git a/playbookconfig/playbookconfig/playbooks/bootstrap/roles/persist-config/vars/main.yml b/playbookconfig/playbookconfig/playbooks/bootstrap/roles/persist-config/vars/main.yml
index 9df730260..b50f50841 100644
--- a/playbookconfig/playbookconfig/playbooks/bootstrap/roles/persist-config/vars/main.yml
+++ b/playbookconfig/playbookconfig/playbooks/bootstrap/roles/persist-config/vars/main.yml
@@ -3,3 +3,5 @@ keyring_workdir: /tmp/python_keyring
 docker_proxy_conf: /etc/systemd/system/docker.service.d/http-proxy.conf
 minimum_root_disk_size: 240
 default_security_feature: "nopti nospectre_v2"
+temp_ssl_ca: /tmp/ca_cert.pem
+ssl_ca_complete_flag: /etc/platform/.ssl_ca_complete
diff --git a/playbookconfig/playbookconfig/playbooks/bootstrap/roles/validate-config/tasks/main.yml b/playbookconfig/playbookconfig/playbooks/bootstrap/roles/validate-config/tasks/main.yml
index 856aeb5b6..7faad1d4d 100644
--- a/playbookconfig/playbookconfig/playbooks/bootstrap/roles/validate-config/tasks/main.yml
+++ b/playbookconfig/playbookconfig/playbooks/bootstrap/roles/validate-config/tasks/main.yml
@@ -389,6 +389,12 @@
           (docker_images_archive_source is not none)
 
 
+- name: Check for ssl_ca_cert file
+  fail:
+    msg: "ssl_ca_cert file not found. ({{ ssl_ca_cert }})"
+  when: ssl_ca_cert is defined and (not ssl_ca_cert is file)
+
+
 # bootstrap_config ini file generation
 - block:
   - name: Create config workdir