diff --git a/pkg/repository/provider/unified_repo.go b/pkg/repository/provider/unified_repo.go
index 65571044f..b599db836 100644
--- a/pkg/repository/provider/unified_repo.go
+++ b/pkg/repository/provider/unified_repo.go
@@ -18,6 +18,7 @@ package provider
 
 import (
 	"context"
+	"encoding/base64"
 	"fmt"
 	"net/url"
 	"path"
@@ -496,6 +497,10 @@ func getStorageVariables(backupLocation *velerov1api.BackupStorageLocation, repo
 		result[udmrepo.StoreOptionS3Endpoint] = strings.Trim(s3URL, "/")
 		result[udmrepo.StoreOptionS3DisableTLSVerify] = config["insecureSkipTLSVerify"]
 		result[udmrepo.StoreOptionS3DisableTLS] = strconv.FormatBool(disableTLS)
+
+		if backupLocation.Spec.ObjectStorage != nil && backupLocation.Spec.ObjectStorage.CACert != nil {
+			result[udmrepo.StoreOptionS3CustomCA] = base64.StdEncoding.EncodeToString(backupLocation.Spec.ObjectStorage.CACert)
+		}
 	} else if backendType == repoconfig.AzureBackend {
 		domain, err := getAzureStorageDomain(config)
 		if err != nil {
diff --git a/pkg/repository/provider/unified_repo_test.go b/pkg/repository/provider/unified_repo_test.go
index 0a0401aec..0999957ee 100644
--- a/pkg/repository/provider/unified_repo_test.go
+++ b/pkg/repository/provider/unified_repo_test.go
@@ -18,6 +18,7 @@ package provider
 
 import (
 	"context"
+	"encoding/base64"
 	"errors"
 	"testing"
 
@@ -366,6 +367,42 @@ func TestGetStorageVariables(t *testing.T) {
 				"skipTLSVerify": "false",
 			},
 		},
+		{
+			name: "aws, ObjectStorage section exists in BSL, s3Url exist, https, custom CA exist",
+			backupLocation: velerov1api.BackupStorageLocation{
+				Spec: velerov1api.BackupStorageLocationSpec{
+					Provider: "velero.io/aws",
+					Config: map[string]string{
+						"bucket":                "fake-bucket-config",
+						"prefix":                "fake-prefix-config",
+						"region":                "fake-region",
+						"s3Url":                 "https://fake-url/",
+						"insecureSkipTLSVerify": "false",
+					},
+					StorageType: velerov1api.StorageType{
+						ObjectStorage: &velerov1api.ObjectStorageLocation{
+							Bucket: "fake-bucket-object-store",
+							Prefix: "fake-prefix-object-store",
+							CACert: []byte{0x01, 0x02, 0x03, 0x04, 0x05},
+						},
+					},
+				},
+			},
+			getS3BucketRegion: func(bucket string) (string, error) {
+				return "region from bucket: " + bucket, nil
+			},
+			repoBackend: "fake-repo-type",
+			expected: map[string]string{
+				"bucket":        "fake-bucket-object-store",
+				"prefix":        "fake-prefix-object-store/fake-repo-type/",
+				"region":        "fake-region",
+				"fspath":        "",
+				"endpoint":      "fake-url",
+				"doNotUseTLS":   "false",
+				"skipTLSVerify": "false",
+				"customCA":      base64.StdEncoding.EncodeToString([]byte{0x01, 0x02, 0x03, 0x04, 0x05}),
+			},
+		},
 		{
 			name: "azure, getAzureStorageDomain fail",
 			backupLocation: velerov1api.BackupStorageLocation{
diff --git a/pkg/repository/udmrepo/kopialib/backend/s3.go b/pkg/repository/udmrepo/kopialib/backend/s3.go
index 0a6f56bb6..e2e01de75 100644
--- a/pkg/repository/udmrepo/kopialib/backend/s3.go
+++ b/pkg/repository/udmrepo/kopialib/backend/s3.go
@@ -52,6 +52,7 @@ func (c *S3Backend) Setup(ctx context.Context, flags map[string]string) error {
 	c.options.DoNotUseTLS = optionalHaveBool(ctx, udmrepo.StoreOptionS3DisableTLS, flags)
 	c.options.DoNotVerifyTLS = optionalHaveBool(ctx, udmrepo.StoreOptionS3DisableTLSVerify, flags)
 	c.options.SessionToken = optionalHaveString(udmrepo.StoreOptionS3Token, flags)
+	c.options.RootCA = optionalHaveBase64(ctx, udmrepo.StoreOptionS3CustomCA, flags)
 
 	c.options.Limits = setupLimits(ctx, flags)
 
diff --git a/pkg/repository/udmrepo/kopialib/backend/utils.go b/pkg/repository/udmrepo/kopialib/backend/utils.go
index 97fa2ab57..19fa7b278 100644
--- a/pkg/repository/udmrepo/kopialib/backend/utils.go
+++ b/pkg/repository/udmrepo/kopialib/backend/utils.go
@@ -18,6 +18,7 @@ package backend
 
 import (
 	"context"
+	"encoding/base64"
 	"strconv"
 	"time"
 
@@ -84,6 +85,19 @@ func optionalHaveDuration(ctx context.Context, key string, flags map[string]stri
 	return 0
 }
 
+func optionalHaveBase64(ctx context.Context, key string, flags map[string]string) []byte {
+	if value, exist := flags[key]; exist {
+		ret, err := base64.StdEncoding.DecodeString(value)
+		if err == nil {
+			return ret
+		}
+
+		backendLog()(ctx).Errorf("Ignore %s, value [%s] is invalid, err %v", key, value, err)
+	}
+
+	return nil
+}
+
 func backendLog() func(ctx context.Context) logging.Logger {
 	return logging.Module("kopialib-bd")
 }
diff --git a/pkg/repository/udmrepo/repo_options.go b/pkg/repository/udmrepo/repo_options.go
index 4f1276514..9337018f2 100644
--- a/pkg/repository/udmrepo/repo_options.go
+++ b/pkg/repository/udmrepo/repo_options.go
@@ -42,6 +42,7 @@ const (
 	StoreOptionS3Endpoint         = "endpoint"
 	StoreOptionS3DisableTLS       = "doNotUseTLS"
 	StoreOptionS3DisableTLSVerify = "skipTLSVerify"
+	StoreOptionS3CustomCA         = "customCA"
 
 	StoreOptionAzureKey            = "storageKey"
 	StoreOptionAzureDomain         = "storageDomain"