diff --git a/charms_openstack/plugins/trilio.py b/charms_openstack/plugins/trilio.py
index 43507dc..59ac4c1 100644
--- a/charms_openstack/plugins/trilio.py
+++ b/charms_openstack/plugins/trilio.py
@@ -31,6 +31,9 @@ import charms.reactive as reactive
 
 TV_MOUNTS = "/var/triliovault-mounts"
 
+# Location of the certificate file to use when talking to S3 endpoint.
+S3_SSL_CERT_FILE = '/usr/share/ca-certificates/charm-s3.cert'
+
 # Used to store the discovered release version for caching between invocations
 TRILIO_RELEASE_KEY = 'charmers.trilio-release-version'
 
@@ -64,6 +67,22 @@ def trilio_properties(cls):
             'transport_type': 'legacy'}
 
 
+@charms_openstack.adapters.config_property
+def trilio_s3_cert_config(cls):
+    """Trilio S3 certificate config
+
+    :param cls: Configuration Adapter class
+    :type cls: charms_openstack.adapters.DefaultConfigurationAdapter
+    """
+    s3_cert_config = {}
+    config = ch_core.hookenv.config('tv-s3-ssl-cert')
+    if config:
+        s3_cert_config = {
+            'cert_file': S3_SSL_CERT_FILE,
+            'cert_data': base64.b64decode(config).decode('utf-8')}
+    return s3_cert_config
+
+
 class AptPkgVersion():
     """Allow package version to be compared."""
 
diff --git a/unit_tests/charms_openstack/plugins/test_trilio.py b/unit_tests/charms_openstack/plugins/test_trilio.py
index 833c22c..17ad1eb 100644
--- a/unit_tests/charms_openstack/plugins/test_trilio.py
+++ b/unit_tests/charms_openstack/plugins/test_trilio.py
@@ -181,6 +181,19 @@ class TestTrilioCommonBehaviours(BaseOpenStackCharmTest):
             trilio.trilio_properties(cls_mock),
             {'db_type': 'legacy', 'transport_type': 'legacy'})
 
+    def test_trilio_s3_cert_config(self):
+        cls_mock = mock.MagicMock()
+        self.config.return_value = 'QSBjZXJ0Cg=='
+        self.assertEqual(
+            trilio.trilio_s3_cert_config(cls_mock),
+            {
+                'cert_file': '/usr/share/ca-certificates/charm-s3.cert',
+                'cert_data': 'A cert\n'})
+        self.config.return_value = None
+        self.assertEqual(
+            trilio.trilio_s3_cert_config(cls_mock),
+            {})
+
     def test_get_trilio_codename_install_source(self):
         self.assertEqual(
             trilio.get_trilio_codename_install_source(