diff --git a/docs/operator.md b/docs/operator.md
index 333ae47db5..b389752e3f 100644
--- a/docs/operator.md
+++ b/docs/operator.md
@@ -311,6 +311,61 @@ spec:
 EOF
 ```
 
+### Custom CA for Assisted Image Service OS Image Download
+
+It is possible to specify a CA to be used when downloading OS images. This should be used when OS images are being served from HTTPS servers where the CA would not typically be known to assisted-image-service.
+
+Start by creating a ConfigMap containing the CA bundle for downloading OS images and store this under the key "tls.crt".
+The ConfigMap should be installed in the same namespace as the infrastructure-operator (ie. `multicluster-engine` or `assisted-installer` depending on how the infrastucture operator was deployed).
+
+```
+oc create configmap image-service-additional-ca --from-file=/root/tls.crt
+```
+
+Then in the `AgentServiceConfig`, this ConfigMap should be referenced, in `OSImageCACertRef` 
+The CA bundle defined in the ConfigMap referred to by `OSImageCACertRef` will then be used when pulling osImages.
+
+``` bash
+cat <<EOF | kubectl apply -f -
+apiVersion: agent-install.openshift.io/v1beta1
+kind: AgentServiceConfig
+metadata:
+  name: agent
+spec:
+  OSImageCACertRef:
+    name: image-service-additional-ca
+  osImages:
+    - openshiftVersion: "4.14"
+      version: "414.92.202310170514-0"
+      url: "https://some-os-image-server.io/rhcos-4.14.0-rc.0-x86_64-live.x86_64.iso"
+      cpuArchitecture: "x86_64"
+    - openshiftVersion: "4.15"
+      version: "414.92.202310170514-0"
+      url: "https://some-os-image-server.io/rhcos-4.15.0-rc.0-x86_64-live.x86_64.iso"
+      cpuArchitecture: "x86_64"
+  databaseStorage:
+    accessModes:
+    - ReadWriteOnce
+    resources:
+      requests:
+        storage: 10Gi
+  filesystemStorage:
+    accessModes:
+    - ReadWriteOnce
+    resources:
+      requests:
+        storage: 20Gi
+  imageStorage:
+    accessModes:
+    - ReadWriteOnce
+    resources:
+      requests:
+        storage: 10Gi
+  mirrorRegistryRef:
+    name: mirror-registry-config-map
+EOF
+```
+
 ### Mirror Registry Configuration
 
 A ConfigMap can be used to configure assisted service to create installations using mirrored content. The ConfigMap contains two keys: