diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 47ba383ced6b196847ec86118f2bf47c49ad1f51..56bbd3e4923f3e22c3519abede3879fc6f9784cf 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -104,6 +104,15 @@ stages:
   - export RELEASE_IMAGE_TAG="${RELEASE_VERSION}${RELEASE_OPENTOFU_VERSION:+-opentofu$RELEASE_OPENTOFU_VERSION}${RELEASE_BASE_IMAGE_OS:+-$RELEASE_BASE_IMAGE_OS}"
   - export RELEASE_IMAGE="${RELEASE_IMAGE_NAME}:${RELEASE_IMAGE_TAG}"
 
+.install-custom-ca: &install-custom-ca
+  - |
+    if [ -f "${CUSTOM_CA}" ]; then
+      cp "$CUSTOM_CA" /usr/share/pki/ca-trust-source/anchors/custom-ca.pem
+      update-ca-trust
+    else
+      echo 'Skipping to install custom CA because $CUSTOM_CA environment variable is not set'
+    fi
+
 variables:
   # OpenTofu variables
   LATEST_OPENTOFU_VERSION: !reference [.data, latest_version]
@@ -141,6 +150,7 @@ check-semantic-version:
   stage: build
   image: quay.io/containers/buildah:v1.38.1
   before_script:
+    - *install-custom-ca
     # Supporting GitLab dependency proxies:
     # see https://docs.gitlab.com/ee/user/packages/dependency_proxy/
     - |
@@ -254,6 +264,7 @@ shellcheck:
   variables:
     GITLAB_OPENTOFU_BASE_IMAGE_OS: $RELEASE_BASE_IMAGE_OS
   before_script:
+    - *install-custom-ca
     - *image-matrix-deploy-release-name-script
     - crane auth login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" "$CI_REGISTRY"
     - 'echo "base image OS: $GITLAB_OPENTOFU_BASE_IMAGE_OS"'
@@ -343,6 +354,7 @@ gitlab-opentofu-image:verify-signature:
     name: alpine/crane:0.20.3
     entrypoint: [""]
   before_script:
+    - *install-custom-ca
     - *image-matrix-deploy-release-name-script
     - apk add --update cosign
   script:
diff --git a/.gitlab/README.md.template b/.gitlab/README.md.template
index e3dae83040f6cff45b3e49a3426e8b5f2ee966ab..357eacb23a7fdf987f6d77941fbeb0ce6ef7cf2a 100644
--- a/.gitlab/README.md.template
+++ b/.gitlab/README.md.template
@@ -548,6 +548,13 @@ The pipeline of this component respects the
 by detecting the `CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX` environment variable
 and configuring `buildah` to use it when building the container images.
 
+If you need to use this CI/CD component with a custom root CA, please set a CI/CD file variable called `CUSTOM_CA`. The
+certificate needs to be in the PEM format. Currently the certificate is applied to the following jobs:
+
+- `gitlab-opentofu-image:build`
+- `gitlab-opentofu-image:deploy`
+- `gitlab-opentofu-image:verify-signature`
+
 ## Migrating from the Terraform CI/CD templates
 
 When migrating from the GitLab Terraform CI/CD templates you can use the following migration rules:
diff --git a/README.md b/README.md
index efe44f914e77d382c97799eed2b4700b1e1fd5eb..09d1927244cf33a789b9dbba4d3cdbaf0c2227ec 100644
--- a/README.md
+++ b/README.md
@@ -622,6 +622,13 @@ The pipeline of this component respects the
 by detecting the `CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX` environment variable
 and configuring `buildah` to use it when building the container images.
 
+If you need to use this CI/CD component with a custom root CA, please set a CI/CD file variable called `CUSTOM_CA`. The
+certificate needs to be in the PEM format. Currently the certificate is applied to the following jobs:
+
+- `gitlab-opentofu-image:build`
+- `gitlab-opentofu-image:deploy`
+- `gitlab-opentofu-image:verify-signature`
+
 ## Migrating from the Terraform CI/CD templates
 
 When migrating from the GitLab Terraform CI/CD templates you can use the following migration rules: