diff --git a/deploy/csi-rclone/templates/_certificates-init-container.tpl b/deploy/csi-rclone/templates/_certificates-init-container.tpl
new file mode 100644
index 0000000..d8b6b1a
--- /dev/null
+++ b/deploy/csi-rclone/templates/_certificates-init-container.tpl
@@ -0,0 +1,14 @@
+{{- define "csiRcloneCertificates.initContainer" -}}
+{{- $customCAsEnabled := .Values.csiNodepluginRclone.certificates.customCAs -}}
+{{- $customCAsForMountsEnabled := .Values.csiNodepluginRclone.certificates.customCAsForDataConnectorMounts -}}
+- name: init-certificates
+  image: "{{ .Values.csiNodepluginRclone.certificates.image.repository }}:{{ .Values.csiNodepluginRclone.certificates.image.tag }}"
+  volumeMounts:
+    - name: etc-ssl-certs
+      mountPath: /etc/ssl/certs/
+    {{- if or $customCAsEnabled $customCAsForMountsEnabled }}
+    - name: custom-ca-certs
+      mountPath: /usr/local/share/ca-certificates
+      readOnly: true
+    {{- end -}}
+{{- end -}}
diff --git a/deploy/csi-rclone/templates/_certificates-volume-mounts.tpl b/deploy/csi-rclone/templates/_certificates-volume-mounts.tpl
new file mode 100644
index 0000000..9d83c10
--- /dev/null
+++ b/deploy/csi-rclone/templates/_certificates-volume-mounts.tpl
@@ -0,0 +1,5 @@
+{{- define "csiRcloneCertificates.volumeMounts.system" -}}
+- name: etc-ssl-certs
+  mountPath: /etc/ssl/certs/
+  readOnly: true
+{{- end -}}
diff --git a/deploy/csi-rclone/templates/_certificates-volumes.tpl b/deploy/csi-rclone/templates/_certificates-volumes.tpl
new file mode 100644
index 0000000..9657a88
--- /dev/null
+++ b/deploy/csi-rclone/templates/_certificates-volumes.tpl
@@ -0,0 +1,25 @@
+{{- define "csiRcloneCertificatesForMounts.volumes" -}}
+{{- $customCAsEnabled := .Values.csiNodepluginRclone.certificates.customCAs -}}
+{{- $customCAsForMountsEnabled := .Values.csiNodepluginRclone.certificates.customCAsForDataConnectorMounts -}}
+- name: etc-ssl-certs
+  emptyDir:
+    medium: "Memory"
+{{- if or $customCAsEnabled $customCAsForMountsEnabled }}
+- name: custom-ca-certs
+  projected:
+    defaultMode: 0444
+    sources:
+    {{- if $customCAsEnabled }}
+    {{- range $customCA := .Values.csiNodepluginRclone.certificates.customCAs }}
+      - secret:
+          name: {{ $customCA.secret }}
+    {{- end -}}
+    {{- end -}}
+    {{- if $customCAsForMountsEnabled }}
+    {{- range $customCA := .Values.csiNodepluginRclone.certificates.customCAsForDataConnectorMounts }}
+      - secret:
+          name: {{ $customCA.secret }}
+    {{- end -}}
+    {{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/deploy/csi-rclone/templates/csi-nodeplugin-rclone.yaml b/deploy/csi-rclone/templates/csi-nodeplugin-rclone.yaml
index 7615eba..3d68cfe 100644
--- a/deploy/csi-rclone/templates/csi-nodeplugin-rclone.yaml
+++ b/deploy/csi-rclone/templates/csi-nodeplugin-rclone.yaml
@@ -20,6 +20,8 @@ spec:
     spec:
       serviceAccountName: {{ include "chart.fullname" . }}-nodeplugin
       dnsPolicy: ClusterFirstWithHostNet
+      initContainers:
+      {{- include "csiRcloneCertificates.initContainer" . | nindent 6 }}
       containers:
       - name: node-driver-registrar
         args:
@@ -143,6 +145,7 @@ spec:
           name: pods-mount-dir
         - mountPath: /var/lib/rclone
           name: cache-dir
+        {{- include "csiRcloneCertificates.volumeMounts.system" . | nindent 8 }}
     {{- with .Values.csiNodepluginRclone.nodeSelector }}
       nodeSelector:
         {{ toYaml . | nindent 8 }}
@@ -170,3 +173,4 @@ spec:
         name: registration-dir
       - name: cache-dir
         emptyDir: {}
+      {{- include "csiRcloneCertificatesForMounts.volumes" . | nindent 6 }}
diff --git a/deploy/csi-rclone/values.yaml b/deploy/csi-rclone/values.yaml
index acbad32..ebf474a 100644
--- a/deploy/csi-rclone/values.yaml
+++ b/deploy/csi-rclone/values.yaml
@@ -106,6 +106,19 @@ csiNodepluginRclone:
     #   value: "32M"
     # - name: "transfers"
     #   value: "8"
+  ## Specify the name of a existing K8s secrets that contains the certificate
+  ## if you would like to use custom CAs. The key for the secret
+  ## should have the .crt extension otherwise it is ignored. The
+  ## keys across all secrets are mounted as files in one location so
+  ## the keys across all secrets have to be unique.
+  certificates:
+    image:
+      repository: renku/certificates
+      tag: "0.0.2"
+    customCAs: []
+    # - secret:
+    customCAsForDataConnectorMounts: []
+    # - secret:
   serviceAccount:
     annotations: {}
   nodeSelector: {}