diff --git a/roles/build-container-image/tasks/setup-buildx.yaml b/roles/build-container-image/tasks/setup-buildx.yaml
index 546a9acf7..a55c9b0e4 100644
--- a/roles/build-container-image/tasks/setup-buildx.yaml
+++ b/roles/build-container-image/tasks/setup-buildx.yaml
@@ -2,6 +2,10 @@
   command: docker run --rm --privileged multiarch/qemu-user-static --reset -p yes
   when: ansible_architecture == 'x86_64'
 
+# TODO(clarkb) Use buildkitd.toml configuration to add certifications. That
+# may allow us to drop the ca-certificates install and update-ca-certificates
+# step below. More info here:
+# https://docs.docker.com/reference/cli/docker/buildx/create/#buildkitd-config
 - name: Create builder
   command: "docker buildx create --name mybuilder --node {{ inventory_hostname | replace('-', '_') }} --driver-opt network=host{% if buildset_registry is defined %} --config /etc/buildkit/buildkitd.toml {% endif %}"
   when: inventory_hostname == ansible_play_hosts[0]
@@ -37,6 +41,10 @@
     mode: preserve
   when: buildset_registry is defined and buildset_registry.cert
 
+- name: Install CA certs in worker container
+  command: "docker exec buildx_buildkit_{{ inventory_hostname | replace('-', '_') }} apk add --no-cache ca-certificates"
+  when: buildset_registry is defined and buildset_registry.cert
+
 - name: Copy buildset registry TLS cert into worker container
   command: "docker cp {{ buildkit_cert_tmp.path }} buildx_buildkit_{{ inventory_hostname | replace('-', '_') }}:/usr/local/share/ca-certificates"
   when: buildset_registry is defined and buildset_registry.cert
diff --git a/roles/build-docker-image/tasks/setup-buildx.yaml b/roles/build-docker-image/tasks/setup-buildx.yaml
index f2fefbe14..241bffe81 100644
--- a/roles/build-docker-image/tasks/setup-buildx.yaml
+++ b/roles/build-docker-image/tasks/setup-buildx.yaml
@@ -4,6 +4,10 @@
     DOCKER_CLI_EXPERIMENTAL: enabled
   when: ansible_architecture == 'x86_64'
 
+# TODO(clarkb) Use buildkitd.toml configuration to add certifications. That
+# may allow us to drop the ca-certificates install and update-ca-certificates
+# step below. More info here:
+# https://docs.docker.com/reference/cli/docker/buildx/create/#buildkitd-config
 - name: Create builder
   command: "docker buildx create --name mybuilder --node {{ inventory_hostname | replace('-', '_') }} --driver-opt network=host{% if buildset_registry is defined %} --config /etc/buildkit/buildkitd.toml {% endif %}"
   environment:
@@ -47,6 +51,10 @@
     mode: preserve
   when: buildset_registry is defined and buildset_registry.cert
 
+- name: Install CA certs in worker container
+  command: "docker exec buildx_buildkit_{{ inventory_hostname | replace('-', '_') }} apk add --no-cache ca-certificates"
+  when: buildset_registry is defined and buildset_registry.cert
+
 - name: Copy buildset registry TLS cert into worker container
   command: "docker cp {{ buildkit_cert_tmp.path }} buildx_buildkit_{{ inventory_hostname | replace('-', '_') }}:/usr/local/share/ca-certificates"
   when: buildset_registry is defined and buildset_registry.cert