diff --git a/ccp/modules/ovis-compose.yml b/ccp/modules/ovis-compose.yml
index c369ec87..40f71ca2 100644
--- a/ccp/modules/ovis-compose.yml
+++ b/ccp/modules/ovis-compose.yml
@@ -6,6 +6,7 @@ services:
     environment:
       - http_proxy=http://forward_proxy:3128
       - https_proxy=http://forward_proxy:3128
+      - TLS_CA_CERTIFICATES_DIR=/etc/bridgehead/trusted-ca-certs
       - OAUTH2_PROXY_USE_SYSTEM_TRUST_STORE=true
       - OAUTH2_PROXY_PROVIDER_CA_FILES=${OVIS_OAUTH2_PROXY_PROVIDER_CA_FILES}
       - OAUTH2_PROXY_PROVIDER=oidc
diff --git a/ccp/modules/ovis-setup.sh b/ccp/modules/ovis-setup.sh
index e22fcfaa..f8458837 100644
--- a/ccp/modules/ovis-setup.sh
+++ b/ccp/modules/ovis-setup.sh
@@ -3,18 +3,21 @@
 if [ -n "$ENABLE_OVIS" ]; then
   log INFO "OVIS setup detected -- will start OVIS services with local oauth2-proxy middleware."
   TRUSTED_CA_DIR="/etc/bridgehead/trusted-ca-certs"
+  OVIS_OAUTH2_PROXY_PROVIDER_CA_FILES=""
 
   if [ -d "$TRUSTED_CA_DIR" ]; then
     shopt -s nullglob
-    ca_candidates=("$TRUSTED_CA_DIR"/*.crt "$TRUSTED_CA_DIR"/*.pem)
+    ca_cert_candidates=("$TRUSTED_CA_DIR"/*.crt)
     shopt -u nullglob
 
-    if [ ${#ca_candidates[@]} -gt 0 ]; then
-      OVIS_OAUTH2_PROXY_PROVIDER_CA_FILES="$(IFS=,; printf '%s' "${ca_candidates[*]}")"
-      log INFO "OVIS oauth2-proxy will trust custom OIDC CA files from $TRUSTED_CA_DIR."
+    if [ ${#ca_cert_candidates[@]} -gt 0 ]; then
+      OVIS_OAUTH2_PROXY_PROVIDER_CA_FILES="$(IFS=,; printf '%s' "${ca_cert_candidates[*]}")"
+      log INFO "OVIS oauth2-proxy will trust OIDC provider CA files from $TRUSTED_CA_DIR (*.crt)."
     else
-      log INFO "No custom OIDC CA files (*.crt/*.pem) found in $TRUSTED_CA_DIR; using container system trust store only."
+      log INFO "No *.crt files found in $TRUSTED_CA_DIR; oauth2-proxy will use system trust store only."
     fi
+  else
+    log INFO "Trusted CA directory $TRUSTED_CA_DIR is missing; oauth2-proxy will use system trust store only."
   fi
 
   OVERRIDE+=" -f ./$PROJECT/modules/ovis-compose.yml"