diff --git a/overlay/usr/lib/systemd/system-preset/42-coreos.preset b/overlay/usr/lib/systemd/system-preset/42-coreos.preset
index c48e2ac0f3..5e84725706 100644
--- a/overlay/usr/lib/systemd/system-preset/42-coreos.preset
+++ b/overlay/usr/lib/systemd/system-preset/42-coreos.preset
@@ -2,6 +2,8 @@
 enable coreos-growpart.service
 enable console-login-helper-messages-issuegen.service
 enable console-login-helper-messages-motdgen.service
+# CA certs (probably to add to base fedora eventually)
+enable coreos-update-ca-trust.service
 # This one is from https://github.com/coreos/ignition-dracut
 enable ignition-firstboot-complete.service
 # Boot checkin services for cloud providers.
diff --git a/overlay/usr/lib/systemd/system/coreos-update-ca-trust.service b/overlay/usr/lib/systemd/system/coreos-update-ca-trust.service
new file mode 100644
index 0000000000..09710c4502
--- /dev/null
+++ b/overlay/usr/lib/systemd/system/coreos-update-ca-trust.service
@@ -0,0 +1,21 @@
+# This service is currently specific to Fedora CoreOS,
+# but we may want to add it to the base OS in the future.
+# The idea here is to allow users to just drop in CA roots
+# via Ignition without having to know to run the special
+# update command.
+[Unit]
+Description=Run update-ca-trust
+ConditionFirstBoot=true
+ConditionDirectoryNotEmpty=/etc/pki/ca-trust/source/anchors/
+# We want to run quite early, in particular before anything
+# that may speak TLS to external services.  In the future,
+# it may make sense to do this in the initramfs too.
+DefaultDependencies=no
+
+[Service]
+ExecStart=/usr/bin/update-ca-trust extract
+Type=oneshot
+RemainAfterExit=yes
+
+[Install]
+WantedBy=basic.target