diff --git a/docs/operator-manual/user-management/index.md b/docs/operator-manual/user-management/index.md
index f3415be786659..f8a2ddedab792 100644
--- a/docs/operator-manual/user-management/index.md
+++ b/docs/operator-manual/user-management/index.md
@@ -373,6 +373,21 @@ You are not required to specify a logoutRedirectURL as this is automatically gen
 !!! note
    The post logout redirect URI may need to be whitelisted against your OIDC provider's client settings for ArgoCD.
 
+### Configuring a custom root CA certificate for communicating with the OIDC provider
+
+If your OIDC provider is setup with a certificate which is not signed by one of the well known certificate authorities
+you can provide a custom certificate which will be used in verifying the OIDC provider's TLS certificate when
+communicating with it.  
+Add a `rootCA` to your `oidc.config` which contains the PEM encoded root certificate:
+
+```yaml
+  oidc.config: |
+    ...
+    rootCA: |
+      -----BEGIN CERTIFICATE-----
+      ... encoded certificate data here ...
+      -----END CERTIFICATE-----
+```
 
 
 ## SSO Further Reading
diff --git a/util/oidc/oidc.go b/util/oidc/oidc.go
index 908d029eff0f8..dc04408c9bf01 100644
--- a/util/oidc/oidc.go
+++ b/util/oidc/oidc.go
@@ -107,10 +107,7 @@ func NewClientApp(settings *settings.ArgoCDSettings, cache OIDCStateStorage, dex
 	if err != nil {
 		return nil, fmt.Errorf("parse redirect-uri: %v", err)
 	}
-	tlsConfig := settings.TLSConfig()
-	if tlsConfig != nil {
-		tlsConfig.InsecureSkipVerify = true
-	}
+	tlsConfig := settings.OIDCTLSConfig()
 	a.client = &http.Client{
 		Transport: &http.Transport{
 			TLSClientConfig: tlsConfig,
diff --git a/util/settings/settings.go b/util/settings/settings.go
index 25f9d29a4f3ae..ca9babc3417b0 100644
--- a/util/settings/settings.go
+++ b/util/settings/settings.go
@@ -121,6 +121,7 @@ type OIDCConfig struct {
 	RequestedScopes        []string               `json:"requestedScopes,omitempty"`
 	RequestedIDTokenClaims map[string]*oidc.Claim `json:"requestedIDTokenClaims,omitempty"`
 	LogoutURL              string                 `json:"logoutURL,omitempty"`
+	RootCA                 string                 `json:"rootCA,omitempty"`
 }
 
 // DEPRECATED. Helm repository credentials are now managed using RepoCredentials
@@ -1530,6 +1531,27 @@ func (a *ArgoCDSettings) OAuth2ClientSecret() string {
 	return ""
 }
 
+func (a *ArgoCDSettings) OIDCTLSConfig() *tls.Config {
+	if oidcConfig := a.OIDCConfig(); oidcConfig != nil {
+		if oidcConfig.RootCA != "" {
+			certPool := x509.NewCertPool()
+			ok := certPool.AppendCertsFromPEM([]byte(oidcConfig.RootCA))
+			if !ok {
+				log.Warn("invalid oidc root ca cert - returning default tls.Config instead")
+				return &tls.Config{}
+			}
+			return &tls.Config{
+				RootCAs: certPool,
+			}
+		}
+	}
+	tlsConfig := a.TLSConfig()
+	if tlsConfig != nil {
+		tlsConfig.InsecureSkipVerify = true
+	}
+	return tlsConfig
+}
+
 func appendURLPath(inputURL string, inputPath string) (string, error) {
 	u, err := url.Parse(inputURL)
 	if err != nil {