diff --git a/container/pull.bzl b/container/pull.bzl
index 72c11d6d0..fe9ef85da 100644
--- a/container/pull.bzl
+++ b/container/pull.bzl
@@ -56,6 +56,12 @@ container_import(
         repository_ctx.path("image"),
     ]
 
+    if repository_ctx.attr.cacerts:
+        args += [
+            "--cacert",
+            repository_ctx.path(repository_ctx.attr.cacerts),
+        ]
+
     # If a digest is specified, then pull by digest.  Otherwise, pull by tag.
     if repository_ctx.attr.digest:
         args += [
@@ -90,6 +96,10 @@ container_pull = repository_rule(
         "repository": attr.string(mandatory = True),
         "digest": attr.string(),
         "tag": attr.string(default = "latest"),
+        "cacerts": attr.label(
+            allow_single_file = True,
+            mandatory = False,
+        ),
         "_puller": attr.label(
             executable = True,
             default = Label("@puller//file:downloaded"),
diff --git a/container/push-tag.sh.tpl b/container/push-tag.sh.tpl
index ff18532e4..d331dcd6d 100644
--- a/container/push-tag.sh.tpl
+++ b/container/push-tag.sh.tpl
@@ -28,4 +28,4 @@ function guess_runfiles() {
 
 RUNFILES="${PYTHON_RUNFILES:-$(guess_runfiles)}"
 
-%{container_pusher} %{format} --name=%{tag} %{stamp} %{image} "$@"
+%{container_pusher} %{format} %{cacerts} --name=%{tag} %{stamp} %{image} "$@"
diff --git a/container/push.bzl b/container/push.bzl
index 47b57a69e..9381f8b74 100644
--- a/container/push.bzl
+++ b/container/push.bzl
@@ -87,6 +87,8 @@ def _impl(ctx):
                 layer_arg,
             ),
             "%{format}": "--oci" if ctx.attr.format == "OCI" else "",
+            "%{cacerts}": ( "--cacert " + ctx.file.cacerts.path ) \
+                 if ctx.file.cacerts else "",
             "%{container_pusher}": _get_runfile_path(ctx, ctx.executable._pusher),
         },
         output = ctx.outputs.executable,
@@ -100,6 +102,7 @@ def _impl(ctx):
                     image["manifest"],
                 ] + image.get("blobsum", []) + image.get("zipped_layer", []) +
                 stamp_inputs + ([image["legacy"]] if image.get("legacy") else []) +
+                ([ctx.file.cacerts] if ctx.file.cacerts else []) +
                 list(ctx.attr._pusher.default_runfiles.files),
     )
 
@@ -146,6 +149,10 @@ container_push = rule(
             default = False,
             mandatory = False,
         ),
+        "cacerts": attr.label(
+            allow_single_file = True,
+            mandatory = False,
+        ),
     }.items() + _layer_tools.items()),
     executable = True,
     implementation = _impl,