diff --git a/install/kots/manifests/gitpod-ca-secret.yaml b/install/kots/manifests/gitpod-ca-secret.yaml
new file mode 100644
index 00000000000000..c812a6334885dc
--- /dev/null
+++ b/install/kots/manifests/gitpod-ca-secret.yaml
@@ -0,0 +1,14 @@
+# Copyright (c) 2022 Gitpod GmbH. All rights reserved.
+# Licensed under the MIT License. See License-MIT.txt in the project root for license information.
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: ca-certificate
+  labels:
+    app: gitpod
+    component: gitpod-installer
+  annotations:
+    kots.io/when: '{{repl and (ConfigOptionEquals "cert_manager_enabled" "0") (ConfigOptionNotEquals "tls_ca_crt" "") }}'
+data:
+  ca.crt: '{{repl ConfigOption "tls_ca_crt" }}'
diff --git a/install/kots/manifests/gitpod-installer-job.yaml b/install/kots/manifests/gitpod-installer-job.yaml
index 925ab07c982f8b..5e5882c1eb13f4 100644
--- a/install/kots/manifests/gitpod-installer-job.yaml
+++ b/install/kots/manifests/gitpod-installer-job.yaml
@@ -194,6 +194,18 @@ spec:
                 yq e -i '.sshGatewayHostKey.name = "ssh-gateway-host-key"' "${CONFIG_FILE}"
               fi
 
+              if [ '{{repl ConfigOptionEquals "tls_self_signed_enabled" "1" }}' = "true" ];
+              then
+                echo "Gitpod: Generating a self-signed certificate with the internal CA"
+                yq e -i '.customCACert.kind = "secret"' "${CONFIG_FILE}"
+                yq e -i '.customCACert.name = "ca-issuer-ca"' "${CONFIG_FILE}"
+              elif [ '{{repl and (ConfigOptionEquals "tls_self_signed_enabled" "0") (ConfigOptionEquals "cert_manager_enabled" "0") (ConfigOptionNotEquals "tls_ca_crt" "") }}' = "true" ];
+              then
+                echo "Gitpod: Setting CA to be used for certificate"
+                yq e -i '.customCACert.kind = "secret"' "${CONFIG_FILE}"
+                yq e -i '.customCACert.name = "ca-certificate"' "${CONFIG_FILE}"
+              fi
+
               echo "Gitpod: Patch Gitpod config"
               base64 -d "${CONFIG_PATCH_FILE}" > /tmp/patch.yaml
               config_patch=$(cat /tmp/patch.yaml)
diff --git a/install/kots/manifests/kots-config.yaml b/install/kots/manifests/kots-config.yaml
index 2b358a7aec31bb..9784b7d64d06c2 100644
--- a/install/kots/manifests/kots-config.yaml
+++ b/install/kots/manifests/kots-config.yaml
@@ -258,7 +258,14 @@ spec:
           title: Use a self-signed TLS certificate
           type: bool
           default: "0"
-          help_text: A self-signed certficate should only be used if applying TLS termination to your load balancer or other proxy.
+          help_text: |
+            A self-signed certficate should only be used if applying TLS termination to your load balancer or other proxy.
+
+            If you are terminating your TLS connection with this certificate, you will need to download the [CA](https://en.wikipedia.org/wiki/Certificate_authority)
+            certificate and install it to your browser.
+
+            To download the certificate, run
+            `kubectl get secrets -n {{repl Namespace }}  ca-issuer-ca -o jsonpath='{.data.ca\.crt}' | base64 -d > ~/ca.crt`
 
         - name: cert_manager_enabled
           title: Use cert-manager
@@ -302,6 +309,12 @@ spec:
           when: '{{repl and (ConfigOptionEquals "tls_self_signed_enabled" "0") (ConfigOptionEquals "cert_manager_enabled" "0") }}'
           help_text: A file containing the TLS private key.
 
+        - name: tls_ca_crt
+          title: CA certificate
+          type: file
+          when: '{{repl and (ConfigOptionEquals "tls_self_signed_enabled" "0") (ConfigOptionEquals "cert_manager_enabled" "0") }}'
+          help_text: A file containing the Certificate Authority certificate. To be used if your certificate is signed by a non-public CA.
+
     - name: features
       title: Additional features
       items: