diff --git a/README.md b/README.md
index 78f2d7f..4883618 100644
--- a/README.md
+++ b/README.md
@@ -57,6 +57,7 @@ podman pull ghcr.io/openvoxproject/openvoxdb:8.9.0-v1.2.3
| **DNS_ALT_NAMES** | Additional DNS names to add to the services SSL certificate
Unset |
| **WAITFORCERT** | Number of seconds to wait for certificate to be signed
`120` |
| **USE_OPENVOXSERVER** | Set to `false` to skip acquiring SSL certificates from a Puppet Server.
`true` |
+| **OPENVOXDB_CERTIFICATE_ALLOWLIST** | Set to a comma seaprated list of allowed certnames.
`""` |
| **OPENVOXSERVER_HOSTNAME** | The DNS hostname of the puppet server
`puppet` |
| **OPENVOXSERVER_PORT** | The port of the puppet server
`8140` |
| **OPENVOXDB_POSTGRES_HOSTNAME** | The DNS hostname of the postgres service
`postgres` |
diff --git a/openvoxdb/Containerfile b/openvoxdb/Containerfile
index 3697b16..0cdb0e2 100644
--- a/openvoxdb/Containerfile
+++ b/openvoxdb/Containerfile
@@ -43,6 +43,7 @@ ENV CERTNAME="openvoxdb" \
OPENVOXDB_REPORT_TTL=14d \
OPENVOXDB_POSTGRES_USER=openvoxdb \
UBUNTU_VERSION="24.04" \
+ OPENVOXDB_CERTIFICATE_ALLOWLIST="" \
USE_OPENVOXSERVER=true \
WAITFORCERT=""
diff --git a/openvoxdb/docker-entrypoint.d/30-certificate-allowlist.sh b/openvoxdb/docker-entrypoint.d/30-certificate-allowlist.sh
new file mode 100755
index 0000000..905a904
--- /dev/null
+++ b/openvoxdb/docker-entrypoint.d/30-certificate-allowlist.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+hocon() {
+ /opt/puppetlabs/puppet/lib/ruby/vendor_gems/bin/hocon "$@"
+}
+
+if [ "$OPENVOXDB_CERTIFICATE_ALLOWLIST" != "" ]; then
+ hocon -f /etc/puppetlabs/puppetdb/conf.d/puppetdb.conf set puppetdb.certificate-allowlist certificate-allowlist
+ IFS=','
+ for cert in $OPENVOXDB_CERTIFICATE_ALLOWLIST; do
+ echo $cert >> /opt/puppetlabs/server/apps/puppetdb/certificate-allowlist
+ done
+fi
+