1 files changed, 13 insertions, 3 deletions

diff --git a/op_crates/fetch/lib.rs b/op_crates/fetch/lib.rs
index c2c08d2cf..4bc37b998 100644
--- a/op_crates/fetch/lib.rs
+++ b/op_crates/fetch/lib.rs
@@ -260,6 +260,7 @@ where
   #[serde(default)]
   struct CreateHttpClientOptions {
     ca_file: Option<String>,
+    ca_data: Option<String>,
   }
 
   let args: CreateHttpClientOptions = serde_json::from_value(args)?;
@@ -269,7 +270,9 @@ where
     permissions.check_read(&PathBuf::from(ca_file))?;
   }
 
-  let client = create_http_client(args.ca_file.as_deref()).unwrap();
+  let client =
+    create_http_client(args.ca_file.as_deref(), args.ca_data.as_deref())
+      .unwrap();
 
   let rid = state.resource_table.add(HttpClientResource::new(client));
   Ok(json!(rid))
@@ -277,9 +280,16 @@ where
 
 /// Create new instance of async reqwest::Client. This client supports
 /// proxies and doesn't follow redirects.
-fn create_http_client(ca_file: Option<&str>) -> Result<Client, AnyError> {
+fn create_http_client(
+  ca_file: Option<&str>,
+  ca_data: Option<&str>,
+) -> Result<Client, AnyError> {
   let mut builder = Client::builder().redirect(Policy::none()).use_rustls_tls();
-  if let Some(ca_file) = ca_file {
+  if let Some(ca_data) = ca_data {
+    let ca_data_vec = ca_data.as_bytes().to_vec();
+    let cert = reqwest::Certificate::from_pem(&ca_data_vec)?;
+    builder = builder.add_root_certificate(cert);
+  } else if let Some(ca_file) = ca_file {
     let mut buf = Vec::new();
     File::open(ca_file)?.read_to_end(&mut buf)?;
     let cert = reqwest::Certificate::from_pem(&buf)?;