diff --git a/pkg/vendir/config/directory.go b/pkg/vendir/config/directory.go
index ffb0472f..72c78696 100644
--- a/pkg/vendir/config/directory.go
+++ b/pkg/vendir/config/directory.go
@@ -139,6 +139,9 @@ type DirectoryContentsImgpkgBundle struct {
 	ResponseHeaderTimeout  int  `json:"responseHeaderTimeout,omitempty"`
 	DangerousSkipTLSVerify bool `json:"dangerousSkipTLSVerify,omitempty"`
 	Recursive              bool `json:"recursive,omitempty"`
+	// Paths to PEM files containing additional CA certificates
+	// +optional
+	AdditionalCACertificates []string `json:"additionalCACertificates,omitempty"`
 }
 
 func (c DirectoryContentsImgpkgBundle) PreresolvedTag() string { return c.preresolvedTag }
diff --git a/pkg/vendir/fetch/image/imgpkg.go b/pkg/vendir/fetch/image/imgpkg.go
index d45f10ee..9b6aa1ff 100644
--- a/pkg/vendir/fetch/image/imgpkg.go
+++ b/pkg/vendir/fetch/image/imgpkg.go
@@ -24,9 +24,10 @@ const (
 )
 
 type ImgpkgOpts struct {
-	SecretRef              *ctlconf.DirectoryContentsLocalRef
-	DangerousSkipTLSVerify bool
-	ResponseHeaderTimeout  int
+	SecretRef                *ctlconf.DirectoryContentsLocalRef
+	DangerousSkipTLSVerify   bool
+	ResponseHeaderTimeout    int
+	AdditionalCACertificates []string
 
 	EnvironFunc func() []string
 }
@@ -164,6 +165,7 @@ func (t *Imgpkg) RegistryOpts() (registry.Opts, error) {
 		EnvironFunc: func() []string {
 			return append(envVariables, t.opts.EnvironFunc()...)
 		},
+		CACertPaths: t.opts.AdditionalCACertificates,
 	}
 	envVars := map[string]string{}
 	for _, envVar := range append(envVariables, t.opts.EnvironFunc()...) {
diff --git a/pkg/vendir/fetch/imgpkgbundle/sync.go b/pkg/vendir/fetch/imgpkgbundle/sync.go
index fafda78e..90c11e18 100644
--- a/pkg/vendir/fetch/imgpkgbundle/sync.go
+++ b/pkg/vendir/fetch/imgpkgbundle/sync.go
@@ -19,9 +19,10 @@ type Sync struct {
 
 func NewSync(opts ctlconf.DirectoryContentsImgpkgBundle, refFetcher ctlfetch.RefFetcher, c ctlcache.Cache) *Sync {
 	imgpkgOpts := ctlimg.ImgpkgOpts{
-		SecretRef:              opts.SecretRef,
-		DangerousSkipTLSVerify: opts.DangerousSkipTLSVerify,
-		ResponseHeaderTimeout:  opts.ResponseHeaderTimeout,
+		SecretRef:                opts.SecretRef,
+		DangerousSkipTLSVerify:   opts.DangerousSkipTLSVerify,
+		ResponseHeaderTimeout:    opts.ResponseHeaderTimeout,
+		AdditionalCACertificates: opts.AdditionalCACertificates,
 	}
 	return &Sync{opts, ctlimg.NewImgpkg(imgpkgOpts, refFetcher, c)}
 }