diff --git a/elements/ca-certificate/README.rst b/elements/ca-certificate/README.rst
new file mode 100644
index 0000000..d96fce0
--- /dev/null
+++ b/elements/ca-certificate/README.rst
@@ -0,0 +1,16 @@
+==============
+ca-certificate
+==============
+Add custom CA certifacte to the trusted CA bundle and update it.
+
+`DIB_CUSTOM_CA_CERTIFICATE_URL`: URL to the custom CA certifacte
+`DIB_CUSTOM_CA_CERTIFICATE_NAME`: The file name to use when saving the certifacte locally (optional)
+
+If `DIB_CUSTOM_CA_CERTIFICATE_NAME` is not defined, the certifacte will be saved as `custom-ca`
+
+For example:
+
+  .. code-block::
+
+   export DIB_CUSTOM_CA_CERTIFICATE_URL="https://www.example.org/custom.pem"
+   export DIB_CUSTOM_CA_CERTIFICATE_NAME="my-cert.pem"
diff --git a/elements/ca-certificate/environment.d/ca-certificate b/elements/ca-certificate/environment.d/ca-certificate
new file mode 100755
index 0000000..2b2298a
--- /dev/null
+++ b/elements/ca-certificate/environment.d/ca-certificate
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+export CUSTOM_CA_CERTIFICATE_URL=${DIB_CUSTOM_CA_CERTIFICATE_URL:?"You must define DIB_CUSTOM_CA_CERTIFICATE_URL"}
+export CUSTOM_CA_CERTIFICATE_NAME=${DIB_CUSTOM_CA_CERTIFICATE_NAME:-"custom-ca"}
diff --git a/elements/ca-certificate/pre-install.d/00-03-copy-ca-certificate b/elements/ca-certificate/pre-install.d/00-03-copy-ca-certificate
new file mode 100755
index 0000000..fa371d5
--- /dev/null
+++ b/elements/ca-certificate/pre-install.d/00-03-copy-ca-certificate
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+if [ ${DIB_DEBUG_TRACE:-1} -gt 0 ]; then
+    set -x
+fi
+set -eu
+set -o pipefail
+
+if type dnf; then
+    curl -x "" -o /etc/pki/ca-trust/source/anchors/$CUSTOM_CA_CERTIFICATE_NAME $CUSTOM_CA_CERTIFICATE_URL
+    sudo update-ca-trust
+else
+    curl -x "" -o /usr/local/share/ca-certificates/$CUSTOM_CA_CERTIFICATE_NAME $CUSTOM_CA_CERTIFICATE_URL
+    sudo update-ca-certificates
+fi