diff --git a/kube-oidc-proxy/Dockerfile b/kube-oidc-proxy/Dockerfile
index 28d595a..373217b 100644
--- a/kube-oidc-proxy/Dockerfile
+++ b/kube-oidc-proxy/Dockerfile
@@ -7,9 +7,11 @@ ARG BASE_IMAGE
 
 FROM $SOURCE_IMAGE as source
 
+FROM ${BASE_IMAGE} as certs
+
 FROM ${BASE_IMAGE}
 
-# RUN apk --no-cache add ca-certificates && update-ca-certificates
+COPY --from=certs /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/certs-bundle.crt
 
 # See: https://github.com/TremoloSecurity/kube-oidc-proxy/blob/1acdbd93710e61117d6daf90f541f2107552d9e6/Dockerfile
 COPY --from=source /usr/bin/kube-oidc-proxy /usr/local/bin/kube-oidc-proxy
diff --git a/kube-oidc-proxy/README.md b/kube-oidc-proxy/README.md
index a2a1db9..04a081a 100644
--- a/kube-oidc-proxy/README.md
+++ b/kube-oidc-proxy/README.md
@@ -6,6 +6,8 @@ There is a [maintained fork](https://www.tremolosecurity.com/post/updating-kube-
 
 The forked image gets rebuilt by copying the fork build and adding it to static distroless container image to minimize attack surface.
 
+The CA certs bundle from the original distroless container image is copied to the `/etc/ssl/certs/certs-bundle.crt` that allows specific overrides.
+
 ## Build
 
 ```