diff --git a/docs/proxy.md b/docs/proxy.md
index 9c72019d12782faf8feb50785c54adf0d550e72c..aea84c182781001d51f8011c9debd0f35a9b2a3b 100644
--- a/docs/proxy.md
+++ b/docs/proxy.md
@@ -7,6 +7,12 @@ If you set http and https proxy, all nodes and loadbalancer will be excluded fro
  `http_proxy:"http://example.proxy.tld:port"`
  `https_proxy:"http://example.proxy.tld:port"`
 
+## Set custom CA
+
+CA must be already on each target nodes
+
+  `https_proxy_cert_file: /path/to/host/custom/ca.crt`
+
 ## Set default no_proxy (this will override default no_proxy generation)
 
 `no_proxy: "node1,node1_ip,node2,node2_ip...additional_host"`
diff --git a/inventory/sample/group_vars/all/all.yml b/inventory/sample/group_vars/all/all.yml
index 223b7c70bab6209fe1e1d5f4332394ea6ce2e105..3c2d5a8ded90d3f4a8729dddf44ed4a08808ed99 100644
--- a/inventory/sample/group_vars/all/all.yml
+++ b/inventory/sample/group_vars/all/all.yml
@@ -52,9 +52,10 @@ loadbalancer_apiserver_healthcheck_port: 8081
 ## When openstack or vsphere are used make sure to source in the required fields
 # external_cloud_provider:
 
-## Set these proxy values in order to update package manager and docker daemon to use proxies
+## Set these proxy values in order to update package manager and docker daemon to use proxies and custom CA for https_proxy if needed
 # http_proxy: ""
 # https_proxy: ""
+# https_proxy_cert_file: ""
 
 ## Refer to roles/kubespray-defaults/defaults/main.yml before modifying no_proxy
 # no_proxy: ""
diff --git a/roles/kubespray-defaults/defaults/main.yaml b/roles/kubespray-defaults/defaults/main.yaml
index 9ba4ad847f1a381e73f64d0fa855561fbded7e66..333446e6011d82af183afddfb47cba477705137c 100644
--- a/roles/kubespray-defaults/defaults/main.yaml
+++ b/roles/kubespray-defaults/defaults/main.yaml
@@ -652,7 +652,7 @@ host_os: >-
 # Setting it to 0 allows unlimited requests per second.
 kubelet_event_record_qps: 5
 
-proxy_env:
+proxy_env_defaults:
   http_proxy: "{{ http_proxy | default ('') }}"
   HTTP_PROXY: "{{ http_proxy | default ('') }}"
   https_proxy: "{{ https_proxy | default ('') }}"
@@ -660,6 +660,10 @@ proxy_env:
   no_proxy: "{{ no_proxy | default ('') }}"
   NO_PROXY: "{{ no_proxy | default ('') }}"
 
+# If we use SSL_CERT_FILE: {{ omit }} it cause in value __omit_place_holder__ and break environments
+# Combine dict is avoiding the problem with omit placeholder. Maybe it can be better solution?
+proxy_env: "{{ proxy_env_defaults | combine({ 'SSL_CERT_FILE': https_proxy_cert_file }) if https_proxy_cert_file is defined else proxy_env_defaults }}"
+
 proxy_disable_env:
   ALL_PROXY: ''
   FTP_PROXY: ''