diff --git a/osc/conf.py b/osc/conf.py
index b1a4cd50..9ff7ec47 100644
--- a/osc/conf.py
+++ b/osc/conf.py
@@ -887,6 +887,12 @@ def get_config(override_conffile=None,
         if 'sslcertck' not in api_host_options[apiurl]:
             api_host_options[apiurl]['sslcertck'] = True
 
+        if 'cafile' not in api_host_options[apiurl]:
+            api_host_options[apiurl]['cafile'] = None
+
+        if 'capath' not in api_host_options[apiurl]:
+            api_host_options[apiurl]['capath'] = None
+
         if 'allow_http' not in api_host_options[apiurl]:
             api_host_options[apiurl]['allow_http'] = False
 
diff --git a/osc/connection.py b/osc/connection.py
index 341fd38d..6eaae181 100644
--- a/osc/connection.py
+++ b/osc/connection.py
@@ -261,6 +261,9 @@ def http_request(method: str, url: str, headers=None, data=None, file=None, retr
             pool_kwargs["ssl_context"] = ssl_context
             # turn cert verification off if sslcertck = 0
 
+            if options["cafile"] or options["capath"]:
+                ssl_context.load_verify_locations(cafile=options["cafile"], capath=options["capath"])
+
             # urllib3 v1
             pool_kwargs["cert_reqs"] = "CERT_REQUIRED" if options["sslcertck"] else "CERT_NONE"
 
diff --git a/tests/test_conf.py b/tests/test_conf.py
index 48d11880..499da38a 100644
--- a/tests/test_conf.py
+++ b/tests/test_conf.py
@@ -88,8 +88,8 @@ http_headers =
 realname = The Administrator
 email = admin@example.com
 sslcertck = 1
-cafile = unused
-capath = unused
+cafile = /path/to/custom_cacert.pem
+capath = /path/to/custom_cacert.d/
 trusted_prj = openSUSE:* SUSE:*
 downloadurl = http://example.com/
 sshkey = ~/.ssh/id_rsa.pub
@@ -356,11 +356,11 @@ class TestExampleConfig(unittest.TestCase):
 
     def test_host_option_cafile(self):
         host_options = self.config["api_host_options"][self.config["apiurl"]]
-        self.assertEqual(host_options["cafile"], "unused")
+        self.assertEqual(host_options["cafile"], "/path/to/custom_cacert.pem")
 
     def test_host_option_capath(self):
         host_options = self.config["api_host_options"][self.config["apiurl"]]
-        self.assertEqual(host_options["capath"], "unused")
+        self.assertEqual(host_options["capath"], "/path/to/custom_cacert.d/")
 
     def test_host_option_sshkey(self):
         host_options = self.config["api_host_options"][self.config["apiurl"]]