diff --git a/README.md b/README.md
index 7c7fa453f..867e7e34e 100644
--- a/README.md
+++ b/README.md
@@ -76,6 +76,7 @@ docker pull ghcr.io/voxpupuli/puppetdb:7.13.0-v1.2.1
 | **PUPPETDB_NODE_PURGE_TTL**             | Automatically delete nodes that have been deactivated or expired for the specified amount of time<br><br>`14d`                          |
 | **PUPPETDB_REPORT_TTL**                 | Automatically delete reports that are older than the specified amount of time<br><br>`14d`                                              |
 | **PUPPETDB_JAVA_ARGS**                  | Arguments passed directly to the JVM when starting the service<br><br>`-Djava.net.preferIPv4Stack=true -Xms256m -Xmx256m -XX:+UseParallelGC -Xlog:gc*:file=$LOGDIR/puppetdb_gc.log -Djdk.tls.ephemeralDHKeySize=2048` |
+| **PUPPETDB_CERTIFICATE_ALLOWLIST**      | Comma separated list of certnames. No whitespaces!<br><br>example: `certname1,certname2,certname3`, default: empty string                |
 | **LOGDIR**                              | Path of the log directory<br><br>`/opt/puppetlabs/server/data/puppetdb/logs`                                                            |
 | **SSLDIR**                              | Path of the SSL directory<br><br>`/opt/puppetlabs/server/data/puppetdb/certs`                                                           |
 
diff --git a/puppetdb/Dockerfile b/puppetdb/Dockerfile
index 7314651fd..49e8711c9 100644
--- a/puppetdb/Dockerfile
+++ b/puppetdb/Dockerfile
@@ -42,6 +42,7 @@ ENV PUPPETDB_POSTGRES_HOSTNAME="postgres" \
     PUPPETDB_NODE_TTL=7d \
     PUPPETDB_NODE_PURGE_TTL=14d \
     PUPPETDB_REPORT_TTL=14d \
+    PUPPETDB_CERTIFICATE_ALLOWLIST="" \
     # used by entrypoint to determine if puppetserver should be contacted for config
     # set to false when container tests are run
     USE_PUPPETSERVER=true \
diff --git a/puppetdb/conf.d/puppetdb.conf b/puppetdb/conf.d/puppetdb.conf
index f8de29039..d599e9cca 100644
--- a/puppetdb/conf.d/puppetdb.conf
+++ b/puppetdb/conf.d/puppetdb.conf
@@ -1,3 +1,4 @@
 puppetdb: {
   disable-update-checking: 'true'
+  certificate-allowlist: '/etc/puppetlabs/puppetdb/conf.d/certificate-allowlist'
 }
diff --git a/puppetdb/docker-entrypoint.d/30-certificate-allowlist.sh b/puppetdb/docker-entrypoint.d/30-certificate-allowlist.sh
new file mode 100755
index 000000000..6d9a57100
--- /dev/null
+++ b/puppetdb/docker-entrypoint.d/30-certificate-allowlist.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+if [ "$PUPPETDB_CERTIFICATE_ALLOWLIST" != "" ]; then
+  IFS=','
+  for cert in $PUPPETDB_CERTIFICATE_ALLOWLIST; do
+    echo $cert >> /etc/puppetlabs/puppetdb/conf.d/certificate_allowlist
+  done
+else
+  touch /etc/puppetlabs/puppetdb/conf.d/certificate_allowlist
+fi
+