diff --git a/docs/rolereference.rst b/docs/rolereference.rst
index 7ae99c3633baecb12afe2f609f16efc8aeea440e..29ff6f1ef50cfccf4580d9d952ea3cf16a1af06c 100644
--- a/docs/rolereference.rst
+++ b/docs/rolereference.rst
@@ -200,6 +200,9 @@ The role implements the following:
   you put TLS private keys in central location where any operating system user
   can reach them provided they have appropriate read/write rights on the file
   itself, and provided they know the exact path of the file.
+* Deploys CA certificate files, normally used for truststore purposes, to
+  ``/usr/local/share/ca-certificates/``, updating the TLS cache at
+  ``/etc/ssl/certs/`` along the way.
 
 
 Parameters
@@ -245,6 +248,13 @@ Parameters
   server. Each element of the list should be a simple string denoting the name
   of the package.
 
+**ca_certificates** (list, optional)
+  List of additional CA certificate files that should be deployed on the
+  server. Each element of the list should be a filepath to a CA certificate file
+  on originating (Ansible) host that should be copied to destination
+  server. Combinations of multiple CA certificates in the same file can be
+  specified as well. File names should end with ``.crt`` or ``.pem``.
+
 
 Examples
 ~~~~~~~~
@@ -278,6 +288,8 @@ packages on all servers:
     - screen
     - debconf-utils
 
+  ca_certificates:
+    - ../certs/truststore.pem
 
 .. _ldap_client: