diff --git a/deploy/helm/README.md b/deploy/helm/README.md
index fe9eb45..4fdca9d 100644
--- a/deploy/helm/README.md
+++ b/deploy/helm/README.md
@@ -32,6 +32,29 @@ Then open `http://localhost:4005` in your browser.
 | `image.pullPolicy` | Image pull policy  | `Always`                    |
 | `replicaCount`     | Number of replicas | `1`                         |
 
+### Custom Root CA
+
+| Parameter      | Description                              | Default Value |
+| -------------- | ---------------------------------------- | ------------- |
+| `customRootCA` | Name of Secret containing CA certificate | `""`          |
+
+To trust a custom CA certificate (e.g., for internal services with self-signed certificates):
+
+1. Create a Secret with your CA certificate:
+
+```bash
+kubectl create secret generic my-root-ca \
+  --from-file=ca.crt=./path/to/ca-certificate.crt
+```
+
+2. Reference it in values:
+
+```yaml
+customRootCA: my-root-ca
+```
+
+The certificate will be mounted to `/etc/ssl/certs/custom-root-ca.crt` and the `SSL_CERT_FILE` environment variable will be set automatically.
+
 ### Service
 
 | Parameter                  | Description             | Default Value |
diff --git a/deploy/helm/templates/statefulset.yaml b/deploy/helm/templates/statefulset.yaml
index 4200963..e59cc13 100644
--- a/deploy/helm/templates/statefulset.yaml
+++ b/deploy/helm/templates/statefulset.yaml
@@ -39,6 +39,11 @@ spec:
         - name: {{ .Chart.Name }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
+          {{- if .Values.customRootCA }}
+          env:
+            - name: SSL_CERT_FILE
+              value: /etc/ssl/certs/custom-root-ca.crt
+          {{- end }}
           ports:
             - name: http
               containerPort: {{ .Values.service.targetPort }}
@@ -46,6 +51,12 @@ spec:
           volumeMounts:
             - name: postgresus-storage
               mountPath: {{ .Values.persistence.mountPath }}
+            {{- if .Values.customRootCA }}
+            - name: custom-root-ca
+              mountPath: /etc/ssl/certs/custom-root-ca.crt
+              subPath: ca.crt
+              readOnly: true
+            {{- end }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
           {{- if .Values.livenessProbe.enabled }}
@@ -66,6 +77,12 @@ spec:
             timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }}
             failureThreshold: {{ .Values.readinessProbe.failureThreshold }}
           {{- end }}
+      {{- if .Values.customRootCA }}
+      volumes:
+        - name: custom-root-ca
+          secret:
+            secretName: {{ .Values.customRootCA }}
+      {{- end }}
   {{- if .Values.persistence.enabled }}
   volumeClaimTemplates:
     - metadata:
diff --git a/deploy/helm/values.yaml b/deploy/helm/values.yaml
index 9041d7e..c8e75f0 100644
--- a/deploy/helm/values.yaml
+++ b/deploy/helm/values.yaml
@@ -9,6 +9,9 @@ image:
 # StatefulSet configuration
 replicaCount: 1
 
+# RootCA setup, need name of secret in same namespace
+customRootCA: ""
+
 # Service configuration
 service:
   type: ClusterIP