diff --git a/src/config.yaml b/src/config.yaml
index 3d1b914..fbd8478 100644
--- a/src/config.yaml
+++ b/src/config.yaml
@@ -37,3 +37,8 @@ options:
     default: ""
     description: >-
       The SSL key, base64-encoded.
+  ssl-ca:
+    type: string
+    default: ""
+    description: >-
+      The SSL Root CA certificate, base64-encoded.
diff --git a/src/reactive/vault.py b/src/reactive/vault.py
index fe2859c..0bce605 100644
--- a/src/reactive/vault.py
+++ b/src/reactive/vault.py
@@ -1,5 +1,6 @@
 import base64
 import psycopg2
+import subprocess
 
 from charmhelpers.contrib.charmsupport.nrpe import (
     NRPE,
@@ -174,6 +175,13 @@ def configure_ssl():
         set_state('vault.ssl.available')
     else:
         remove_state('vault.ssl.available')
+
+    if c['ssl-ca']:
+        ssl_ca = base64.decodestring(c['ssl-ca'].encode())
+        write_file('/usr/local/share/ca-certificates/vault-ca.crt',
+                   ssl_ca, perms=0o644)
+        subprocess.check_call(['update-ca-certificates', '--fresh'])
+
     set_state('vault.ssl.configured')
     status_set('active', 'SSL key and cert installed')
     remove_state('configured')
@@ -194,6 +202,11 @@ def ssl_key_changed():
     remove_state('vault.ssl.configured')
 
 
+@when('config.changed.ssl-ca')
+def ssl_ca_changed():
+    remove_state('vault.ssl.configured')
+
+
 @when('configured')
 @when('nrpe-external-master.available')
 @when_not('vault.nrpe.configured')