diff --git a/elements/os-collect-config/README.md b/elements/os-collect-config/README.md
index 71ba7bbcb..d3fda3a6c 100644
--- a/elements/os-collect-config/README.md
+++ b/elements/os-collect-config/README.md
@@ -21,6 +21,7 @@ Heat Metadata can be used to configure os-collect-config:
         access_key_id: abcdefghijklmnop091234
         secret_access_key: fffeeeeddddccccaaaa99999
         path: ThisResource.Metadata
+        ca_certificate: /etc/ssl/ca.crt
       ec2:
         metadata_url: http://169.254.169.254/latest/meta-data
       heat_local:
@@ -30,7 +31,8 @@ Note that `metadata_url` is optional, as it should be determined by the
 file `heat_metadata_hint` refers to. This file is injected by Heat via
 cloud-init at first boot. Those two parameters are the only optional
 parameters. All of the others are required for the cfn data source
-to function.
+to function. Note that `ca_certificate` is also optional but required
+in many cases where the metadata api is behind ssl.
 
 `ec2` and `heat_local` do not require any configuration to work.
 
@@ -54,6 +56,7 @@ template:
                 - SecretAccessKey
               stack_name:
                 Ref: AWS::StackName
+              ca_certificate: /etc/ssl/ca.crt
 
 The EC2 collector takes this metadata, passes it to os-apply-config
 which in turn writes it out to /etc/os-collect-config.conf.
diff --git a/elements/os-collect-config/os-apply-config/etc/os-collect-config.conf b/elements/os-collect-config/os-apply-config/etc/os-collect-config.conf
index 9ba5d2a94..cc3e2ee69 100644
--- a/elements/os-collect-config/os-apply-config/etc/os-collect-config.conf
+++ b/elements/os-collect-config/os-apply-config/etc/os-collect-config.conf
@@ -25,6 +25,9 @@ stack_name = {{stack_name}}
 secret_access_key = {{secret_access_key}}
 access_key_id = {{access_key_id}}
 path = {{path}}
+{{#ca_certificate}}
+ca_certificate = {{.}}
+{{/ca_certificate}}
 {{/cfn}}
 
 {{#heat}}