diff --git a/docker/README.md b/docker/README.md
index 56411d09..7f2aa846 100644
--- a/docker/README.md
+++ b/docker/README.md
@@ -17,6 +17,12 @@ Then, all you need is to mount your `config.toml` as `/etc/rpxy.toml` and certif
 
 See [`docker-compose.yml`](./docker-compose.yml) for the detailed configuration. Note that the file path of keys and certificates must be ones in your docker container.
 
+## Custom CAs for upstream TLS connections
+
+To add a custom certificate, you must use a non-`slim` non-`webpki` image. Then mount `/usr/local/share/ca-certificates` in the container with your desired CAs each in a file like `myca.crt`. The certificates are accepted in PEM format but file extension must be `crt`.
+
+e.g. `-v rpxy/ca-certificates:/usr/local/share/ca-certificates`
+
 ## Differences among image tags of Docker Hub and GitHub Container Registry
 
 Differences among tags are summarized as follows.
diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh
index 5058f8b1..220ff678 100644
--- a/docker/entrypoint.sh
+++ b/docker/entrypoint.sh
@@ -62,6 +62,8 @@ EOF
 
 #######################################
 function setup_ubuntu () {
+  update-ca-certificates
+
   id ${USER} > /dev/null
   # Check the existence of the user, if not exist, create it.
   if [ $? -eq 1 ]; then