diff --git a/dockerfiles/che/entrypoint.sh b/dockerfiles/che/entrypoint.sh
index 1cd4c3507ed368d073d8d292bd65537dc1d09884..44190c19988513f25a7eee6984a53c6a64b02adc 100755
--- a/dockerfiles/che/entrypoint.sh
+++ b/dockerfiles/che/entrypoint.sh
@@ -291,27 +291,48 @@ init() {
 }
 
 add_cert_to_truststore() {
-  if [ "${CHE_SELF__SIGNED__CERT}" != "" ]; then
-    DEFAULT_JAVA_TRUST_STORE=$JAVA_HOME/jre/lib/security/cacerts
-    DEFAULT_JAVA_TRUST_STOREPASS="changeit"
+  DEFAULT_JAVA_TRUST_STORE=${JAVA_HOME}/lib/security/cacerts
+  DEFAULT_JAVA_TRUST_STOREPASS="changeit"
 
-    JAVA_TRUST_STORE=/home/user/cacerts
-    SELF_SIGNED_CERT=/home/user/self-signed.crt
+  JAVA_TRUST_STORE=/home/user/cacerts
+  SELF_SIGNED_CERT=/home/user/self-signed.crt
 
-    echo "Found a custom cert. Adding it to java trust store based on $DEFAULT_JAVA_TRUST_STORE"
+  MESSAGE="Found a custom cert. Adding it to java trust store $JAVA_TRUST_STORE"
+  if [ ! -f "$JAVA_TRUST_STORE" ]; then
+    echo "$MESSAGE based on $DEFAULT_JAVA_TRUST_STORE"
     cp $DEFAULT_JAVA_TRUST_STORE $JAVA_TRUST_STORE
+  else
+    echo "$MESSAGE"
+  fi
 
-    echo "$CHE_SELF__SIGNED__CERT" > $SELF_SIGNED_CERT
+  echo "$1" > $SELF_SIGNED_CERT
 
-    # make sure that owner has permissions to write and other groups have permissions to read
-    chmod 644 $JAVA_TRUST_STORE
+  # make sure that owner has permissions to write and other groups have permissions to read
+  # note that this might not work when running as anyuid OpenShift user, which is why we're forcing a true if it fails
+  chmod 644 $JAVA_TRUST_STORE || true
 
-    echo yes | keytool -keystore $JAVA_TRUST_STORE -importcert -alias HOSTDOMAIN -file $SELF_SIGNED_CERT -storepass $DEFAULT_JAVA_TRUST_STOREPASS > /dev/null
+  echo yes | keytool -keystore $JAVA_TRUST_STORE -importcert -alias "$2" -file $SELF_SIGNED_CERT -storepass $DEFAULT_JAVA_TRUST_STOREPASS > /dev/null
+  # allow only read by all groups
+  chmod 444 $JAVA_TRUST_STORE
+  if [[ "$JAVA_OPTS" != *"-Djavax.net.ssl.trustStore"* && "$JAVA_OPTS" != *"-Djavax.net.ssl.trustStorePassword"* ]]; then
+    export JAVA_OPTS="${JAVA_OPTS} -Djavax.net.ssl.trustStore=$JAVA_TRUST_STORE -Djavax.net.ssl.trustStorePassword=$DEFAULT_JAVA_TRUST_STOREPASS"
+  fi
+}
 
-    # allow only read by all groups
-    chmod 444 $JAVA_TRUST_STORE
+add_che_cert_to_truststore() {
+  if [ "${CHE_SELF__SIGNED__CERT}" != "" ]; then
+    add_cert_to_truststore "${CHE_SELF__SIGNED__CERT}" "HOSTDOMAIN"
+  fi
+}
 
-    export JAVA_OPTS="${JAVA_OPTS} -Djavax.net.ssl.trustStore=$JAVA_TRUST_STORE -Djavax.net.ssl.trustStorePassword=$DEFAULT_JAVA_TRUST_STOREPASS"
+add_public_cert_to_truststore() {
+  CUSTOM_PUBLIC_CERTIFICATES="/public-certs"
+  if [[ -d "$CUSTOM_PUBLIC_CERTIFICATES" && -n "$(find $CUSTOM_PUBLIC_CERTIFICATES -type f)" ]]; then
+    FILES="$CUSTOM_PUBLIC_CERTIFICATES/*"
+    for cert in $FILES
+    do
+      add_cert_to_truststore "$(<$cert)" "HOSTDOMAIN-$(basename $cert)"
+    done
   fi
 }
 
@@ -374,7 +395,8 @@ trap 'responsible_shutdown' SIGHUP SIGTERM SIGINT
 init
 init_global_variables
 set_environment_variables
-add_cert_to_truststore
+add_che_cert_to_truststore
+add_public_cert_to_truststore
 
 # run che
 start_che_server &