diff --git a/sbkeys/generate-aws-sbkeys b/sbkeys/generate-aws-sbkeys
index d58add80261..65128b1866a 100755
--- a/sbkeys/generate-aws-sbkeys
+++ b/sbkeys/generate-aws-sbkeys
@@ -17,6 +17,7 @@ usage: ${0##*/} [--sdk-image SDK_IMAGE]
                 [--code-sign-key CODE_SIGN_KEY]
                 [--config-sign-key CONFIG_SIGN_KEY]
                 [--output-dir OUTPUT_DIR]
+                [--ca-bundle CA_BUNDLE]
 
 Generate Secure Boot related files. AWS-aware edition.
 
@@ -33,6 +34,7 @@ Options:
     --code-sign-key          KMS key ID or ARN for the code signing key (grub, vmlinuz).
     --config-sign-key        KMS key ID or ARN for the config signing key (grub.cfg).
     --output-dir             Path where the keys will be written.
+    --ca-bundle              CA bundle to use to establish trust for AWS API calls.
     --help                   shows this usage text
 EOF
 }
@@ -78,6 +80,7 @@ parse_args() {
         --code-sign-key ) shift; CODE_SIGN_KEY="${1}" ;;
         --config-sign-key ) shift; CONFIG_SIGN_KEY="${1}" ;;
         --output-dir ) shift; OUTPUT_DIR="${1}" ;;
+        --ca-bundle ) shift; CA_BUNDLE="${1}" ;;
         *) ;;
     esac
     shift
@@ -99,16 +102,28 @@ parse_args() {
 }
 
 # Set default variables
-if ! AWS_PARTITION=$(aws sts get-caller-identity | jq -r '.Arn' | awk -F: '{ print $2 }' 2>/dev/null) ; then
-   echo "Partition could not be determined, Defaulting to: aws." 
-   AWS_PARTITION="aws"
-fi
-
 CA_SIGNING_ALGORITHM="SHA384WITHRSA"
 
-
 parse_args "${@}"
 
+AWS_CLI_ARGS=()
+if [ -n "${CA_BUNDLE:-}" ] ; then
+    CA_BUNDLE_FILE="$(mktemp)"
+
+    # Move the ca bundle to a temporary file so that it is
+    # mounted to a sane location in docker
+    cp "${CA_BUNDLE}" "${CA_BUNDLE_FILE}"
+    CA_BUNDLE="${CA_BUNDLE_FILE}"
+
+    AWS_CLI_ARGS+=(--ca-bundle "${CA_BUNDLE}")
+fi
+AWS_CLI="aws ${AWS_CLI_ARGS[@]+"${AWS_CLI_ARGS[@]}"}"
+
+if ! AWS_PARTITION=$(${AWS_CLI} sts get-caller-identity | jq -r '.Arn' | awk -F: '{ print $2 }' 2>/dev/null) ; then
+   echo "Partition could not be determined, Defaulting to: aws."
+   AWS_PARTITION="aws"
+fi
+
 # To avoid needing separate scripts to parse args and launch the SDK container,
 # the logic to generate the profile is found below the separator. Copy that to
 # a temporary file so it can be executed using the desired method.
@@ -117,6 +132,9 @@ SBKEYS_SCRIPT="$(mktemp)"
 AWS_KMS_PKCS11_CONF="$(mktemp)"
 cleanup() {
   rm -f "${SBKEYS_SCRIPT}" "${AWS_KMS_PKCS11_CONF}"
+  if [ -n "${CA_BUNDLE:-}" ] ; then
+    rm -f "${CA_BUNDLE}"
+  fi
 }
 trap 'cleanup' EXIT
 tail -n +"${PRELUDE_END}" "${0}" >"${SBKEYS_SCRIPT}"
@@ -159,8 +177,11 @@ if [ -n "${SDK_IMAGE:-}" ] ; then
     ${AWS_ACCESS_KEY_ID:+-e AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID} \
     ${AWS_SECRET_ACCESS_KEY:+-e AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY} \
     ${AWS_SESSION_TOKEN:+-e AWS_SESSION_TOKEN=$AWS_SESSION_TOKEN} \
+    ${CA_BUNDLE:+-v $CA_BUNDLE:$CA_BUNDLE} \
     -e AWS_REGION="${AWS_REGION}" \
+    -e AWS_PARTITION="${AWS_PARTITION}" \
     -e AWS_DEFAULT_REGION="${AWS_REGION}" \
+    -e CA_SIGNING_ALGORITHM="${CA_SIGNING_ALGORITHM}" \
     -e PK_CA="${PK_CA}" \
     -e KEK_CA="${KEK_CA}" \
     -e DB_CA="${DB_CA}" \
@@ -169,6 +190,8 @@ if [ -n "${SDK_IMAGE:-}" ] ; then
     -e CODE_SIGN_KEY="${CODE_SIGN_KEY}" \
     -e CONFIG_SIGN_KEY="${CONFIG_SIGN_KEY}" \
     -e AWS_KMS_PKCS11_CONF="${AWS_KMS_PKCS11_CONF}" \
+    -e AWS_CLI="${AWS_CLI}" \
+    -e CA_BUNDLE="${CA_BUNDLE}" \
     -e OUTPUT_DIR="${OUTPUT_DIR}" \
     -w /tmp \
     "${SDK_IMAGE}" bash "${SBKEYS_SCRIPT}"
@@ -176,6 +199,8 @@ else
   export PK_CA KEK_CA DB_CA VENDOR_CA
   export CODE_SIGN_KEY CONFIG_SIGN_KEY SHIM_SIGN_KEY
   export AWS_REGION AWS_KMS_PKCS11_CONF OUTPUT_DIR
+  export AWS_PARTITION CA_SIGNING_ALGORITHM
+  export AWS_CLI CA_BUNDLE
   bash "${SBKEYS_SCRIPT}"
 fi
 
@@ -204,7 +229,7 @@ getcacert() {
   local arn ca
   arn="${1:?}"
   ca="${2:?}"
-  aws acm-pca get-certificate-authority-certificate \
+  ${AWS_CLI} acm-pca get-certificate-authority-certificate \
     --certificate-authority-arn "${arn}" \
     --query 'Certificate' > "${ca}.crt"
 }
@@ -245,7 +270,7 @@ gencert() {
     -out "${key}.csr"
 
   cert_arn="$(\
-    aws acm-pca issue-certificate \
+    ${AWS_CLI} acm-pca issue-certificate \
       --certificate-authority-arn "${ca_arn}" \
       --template-arn arn:${aws_partition}:acm-pca:::template/BlankEndEntityCertificate_APICSRPassthrough/V1 \
       --csr "fileb://${key}.csr" \
@@ -255,11 +280,11 @@ gencert() {
       --idempotency-token "${key}" \
       --query 'CertificateArn')"
 
-    aws acm-pca wait certificate-issued \
+    ${AWS_CLI} acm-pca wait certificate-issued \
        --certificate-authority-arn "${ca_arn}" \
        --certificate-arn "${cert_arn}"
 
-    aws acm-pca get-certificate \
+    ${AWS_CLI} acm-pca get-certificate \
        --certificate-authority-arn "${ca_arn}" \
        --certificate-arn "${cert_arn}" \
        --query 'Certificate' \