diff --git a/README.md b/README.md
index 8671462..0401eef 100644
--- a/README.md
+++ b/README.md
@@ -62,6 +62,7 @@ The following options are used:
 - `OCP_BACKUP_S3`: Use S3 to store etcd-backup snapshots
 - `OCP_BACKUP_S3_NAME`: MinIO client host alias name
 - `OCP_BACKUP_S3_HOST`: S3 host endpoint (with scheme)
+- `OCP_BACKUP-S3_CA`: S3 host CA (if needed)
 - `OCP_BACKUP_S3_BUCKET`: S3 bucket name
 - `OCP_BACKUP_S3_ACCESS_KEY`: access key to access S3 bucket
 - `OCP_BACKUP_S3_SECRET_KEY`: secret key to access S3 bucket
diff --git a/backup-config.yaml b/backup-config.yaml
index 59edffe..bdba32d 100644
--- a/backup-config.yaml
+++ b/backup-config.yaml
@@ -6,6 +6,10 @@ data:
   OCP_BACKUP_S3: "false"
   OCP_BACKUP_S3_NAME: "minio"
   OCP_BACKUP_S3_HOST: "http://minio.local:9000"
+  OCP_BACKUP_S3_CA: |
+        -----BEGIN CERTIFICATE-----
+        ...
+        -----END CERTIFICATE-----
   OCP_BACKUP_S3_BUCKET: "etcd-backup"
   OCP_BACKUP_S3_ACCESS_KEY: "randomaccesskey"
   OCP_BACKUP_S3_SECRET_KEY: "secretkey"
diff --git a/backup.sh b/backup.sh
index faa6f66..627945b 100755
--- a/backup.sh
+++ b/backup.sh
@@ -35,8 +35,11 @@ set -xeuo pipefail
 if [ "${OCP_BACKUP_S3}" = "true" ]; then
     # prepare & push backup to S3
 
-    # update CA trust
-    update-ca-trust
+    # add custom CA if any and update CA trust
+    if [ "${OCP_BACKUP_S3_CA}" ]; then
+        echo -n "${OCP_BACKUP_S3_CA}" > /etc/pki/ca-trust/source/anchors/ca.crt
+        update-ca-trust
+    fi
 
     # configure mcli assuming the bucket already exists
     bash +o history