diff --git a/base/utils/config.go b/base/utils/config.go
index ba8d97bb6..95e416267 100644
--- a/base/utils/config.go
+++ b/base/utils/config.go
@@ -73,6 +73,7 @@ type coreConfig struct {
 	CandlepinAddress              string
 	CandlepinCert                 string
 	CandlepinKey                  string
+	CandlepinCA                   string
 	ManagerPrivateAddress         string
 	ListenerPrivateAddress        string
 	EvaluatorUploadPrivateAddress string
@@ -160,6 +161,7 @@ func initServicesFromEnv() {
 	CoreCfg.CandlepinAddress = Getenv("CANDLEPIN_ADDRESS", CoreCfg.CandlepinAddress)
 	CoreCfg.CandlepinCert = Getenv("CANDLEPIN_CERT", CoreCfg.CandlepinCert)
 	CoreCfg.CandlepinKey = Getenv("CANDLEPIN_KEY", CoreCfg.CandlepinKey)
+	CoreCfg.CandlepinCA = Getenv("CANDLEPIN_CA", CoreCfg.CandlepinCA)
 }
 
 func initDBFromClowder() {
diff --git a/manager/config/config.go b/manager/config/config.go
index fb1fe4e39..0d6510fc9 100644
--- a/manager/config/config.go
+++ b/manager/config/config.go
@@ -5,6 +5,7 @@ import (
 	"app/base/utils"
 	"crypto/tls"
 	"crypto/x509"
+	"fmt"
 	"net/http"
 
 	log "github.com/sirupsen/logrus"
@@ -61,6 +62,12 @@ func CreateCandlepinClient() api.Client {
 			if err != nil {
 				return nil, err
 			}
+			if utils.CoreCfg.CandlepinCA != "" {
+				ok := certPool.AppendCertsFromPEM([]byte(utils.CoreCfg.CandlepinCA))
+				if !ok {
+					return nil, fmt.Errorf("could not parse candlepin ca cert")
+				}
+			}
 			tlsConfig = &tls.Config{
 				Certificates: []tls.Certificate{clientCert},
 				RootCAs:      certPool,