diff --git a/cmd/helm/load_plugins.go b/cmd/helm/load_plugins.go
index 83590210a..70002b0b0 100644
--- a/cmd/helm/load_plugins.go
+++ b/cmd/helm/load_plugins.go
@@ -154,7 +154,7 @@ func callPluginExecutable(pluginName string, main string, argv []string, out io.
 func manuallyProcessArgs(args []string) ([]string, []string) {
 	known := []string{}
 	unknown := []string{}
-	kvargs := []string{"--kube-context", "--namespace", "-n", "--kubeconfig", "--kube-apiserver", "--kube-token", "--kube-as-user", "--kube-as-group", "--registry-config", "--repository-cache", "--repository-config"}
+	kvargs := []string{"--kube-context", "--namespace", "-n", "--kubeconfig", "--kube-apiserver", "--kube-token", "--kube-as-user", "--kube-as-group", "--kube-ca-file", "--registry-config", "--repository-cache", "--repository-config"}
 	knownArg := func(a string) bool {
 		for _, pre := range kvargs {
 			if strings.HasPrefix(a, pre+"=") {
diff --git a/cmd/helm/root.go b/cmd/helm/root.go
index 75742ca4a..f2be0b5a9 100644
--- a/cmd/helm/root.go
+++ b/cmd/helm/root.go
@@ -62,6 +62,7 @@ Environment variables:
 | $HELM_REPOSITORY_CONFIG            | set the path to the repositories file.                                            |
 | $KUBECONFIG                        | set an alternative Kubernetes configuration file (default "~/.kube/config")       |
 | $HELM_KUBEAPISERVER                | set the Kubernetes API Server Endpoint for authentication                         |
+| $HELM_KUBECAFILE                   | set the Kubernetes certificate authority file.                                    |
 | $HELM_KUBEASGROUPS                 | set the Groups to use for impersonation using a comma-separated list.             |
 | $HELM_KUBEASUSER                   | set the Username to impersonate for the operation.                                |
 | $HELM_KUBECONTEXT                  | set the name of the kubeconfig context.                                           |
diff --git a/cmd/helm/testdata/output/env-comp.txt b/cmd/helm/testdata/output/env-comp.txt
index 3739d8bc1..b7befd69e 100644
--- a/cmd/helm/testdata/output/env-comp.txt
+++ b/cmd/helm/testdata/output/env-comp.txt
@@ -6,6 +6,7 @@ HELM_DEBUG
 HELM_KUBEAPISERVER
 HELM_KUBEASGROUPS
 HELM_KUBEASUSER
+HELM_KUBECAFILE
 HELM_KUBECONTEXT
 HELM_KUBETOKEN
 HELM_MAX_HISTORY
diff --git a/pkg/cli/environment.go b/pkg/cli/environment.go
index 2202b02da..ee60d981f 100644
--- a/pkg/cli/environment.go
+++ b/pkg/cli/environment.go
@@ -54,6 +54,8 @@ type EnvSettings struct {
 	KubeAsGroups []string
 	// Kubernetes API Server Endpoint for authentication
 	KubeAPIServer string
+	// Custom certificate authority file.
+	KubeCaFile string
 	// Debug indicates whether or not Helm is running in Debug mode.
 	Debug bool
 	// RegistryConfig is the path to the registry config file.
@@ -77,6 +79,7 @@ func New() *EnvSettings {
 		KubeAsUser:       os.Getenv("HELM_KUBEASUSER"),
 		KubeAsGroups:     envCSV("HELM_KUBEASGROUPS"),
 		KubeAPIServer:    os.Getenv("HELM_KUBEAPISERVER"),
+		KubeCaFile:       os.Getenv("HELM_KUBECAFILE"),
 		PluginsDirectory: envOr("HELM_PLUGINS", helmpath.DataPath("plugins")),
 		RegistryConfig:   envOr("HELM_REGISTRY_CONFIG", helmpath.ConfigPath("registry.json")),
 		RepositoryConfig: envOr("HELM_REPOSITORY_CONFIG", helmpath.ConfigPath("repositories.yaml")),
@@ -90,6 +93,7 @@ func New() *EnvSettings {
 		Context:          &env.KubeContext,
 		BearerToken:      &env.KubeToken,
 		APIServer:        &env.KubeAPIServer,
+		CAFile:           &env.KubeCaFile,
 		KubeConfig:       &env.KubeConfig,
 		Impersonate:      &env.KubeAsUser,
 		ImpersonateGroup: &env.KubeAsGroups,
@@ -106,6 +110,7 @@ func (s *EnvSettings) AddFlags(fs *pflag.FlagSet) {
 	fs.StringVar(&s.KubeAsUser, "kube-as-user", s.KubeAsUser, "username to impersonate for the operation")
 	fs.StringArrayVar(&s.KubeAsGroups, "kube-as-group", s.KubeAsGroups, "group to impersonate for the operation, this flag can be repeated to specify multiple groups.")
 	fs.StringVar(&s.KubeAPIServer, "kube-apiserver", s.KubeAPIServer, "the address and the port for the Kubernetes API server")
+	fs.StringVar(&s.KubeCaFile, "kube-ca-file", s.KubeCaFile, "the certificate authority file for the Kubernetes API server connection")
 	fs.BoolVar(&s.Debug, "debug", s.Debug, "enable verbose output")
 	fs.StringVar(&s.RegistryConfig, "registry-config", s.RegistryConfig, "path to the registry config file")
 	fs.StringVar(&s.RepositoryConfig, "repository-config", s.RepositoryConfig, "path to the file containing repository names and URLs")
@@ -159,6 +164,7 @@ func (s *EnvSettings) EnvVars() map[string]string {
 		"HELM_KUBEASUSER":    s.KubeAsUser,
 		"HELM_KUBEASGROUPS":  strings.Join(s.KubeAsGroups, ","),
 		"HELM_KUBEAPISERVER": s.KubeAPIServer,
+		"HELM_KUBECAFILE":    s.KubeCaFile,
 	}
 	if s.KubeConfig != "" {
 		envvars["KUBECONFIG"] = s.KubeConfig
diff --git a/pkg/cli/environment_test.go b/pkg/cli/environment_test.go
index ffdbce68b..31ba7a237 100644
--- a/pkg/cli/environment_test.go
+++ b/pkg/cli/environment_test.go
@@ -39,6 +39,7 @@ func TestEnvSettings(t *testing.T) {
 		maxhistory   int
 		kAsUser      string
 		kAsGroups    []string
+		kCaFile      string
 	}{
 		{
 			name:       "defaults",
@@ -47,31 +48,34 @@ func TestEnvSettings(t *testing.T) {
 		},
 		{
 			name:       "with flags set",
-			args:       "--debug --namespace=myns --kube-as-user=poro --kube-as-group=admins --kube-as-group=teatime --kube-as-group=snackeaters",
+			args:       "--debug --namespace=myns --kube-as-user=poro --kube-as-group=admins --kube-as-group=teatime --kube-as-group=snackeaters --kube-ca-file=/tmp/ca.crt",
 			ns:         "myns",
 			debug:      true,
 			maxhistory: defaultMaxHistory,
 			kAsUser:    "poro",
 			kAsGroups:  []string{"admins", "teatime", "snackeaters"},
+			kCaFile:    "/tmp/ca.crt",
 		},
 		{
 			name:       "with envvars set",
-			envvars:    map[string]string{"HELM_DEBUG": "1", "HELM_NAMESPACE": "yourns", "HELM_KUBEASUSER": "pikachu", "HELM_KUBEASGROUPS": ",,,operators,snackeaters,partyanimals", "HELM_MAX_HISTORY": "5"},
+			envvars:    map[string]string{"HELM_DEBUG": "1", "HELM_NAMESPACE": "yourns", "HELM_KUBEASUSER": "pikachu", "HELM_KUBEASGROUPS": ",,,operators,snackeaters,partyanimals", "HELM_MAX_HISTORY": "5", "HELM_KUBECAFILE": "/tmp/ca.crt"},
 			ns:         "yourns",
 			maxhistory: 5,
 			debug:      true,
 			kAsUser:    "pikachu",
 			kAsGroups:  []string{"operators", "snackeaters", "partyanimals"},
+			kCaFile:    "/tmp/ca.crt",
 		},
 		{
 			name:       "with flags and envvars set",
-			args:       "--debug --namespace=myns --kube-as-user=poro --kube-as-group=admins --kube-as-group=teatime --kube-as-group=snackeaters",
-			envvars:    map[string]string{"HELM_DEBUG": "1", "HELM_NAMESPACE": "yourns", "HELM_KUBEASUSER": "pikachu", "HELM_KUBEASGROUPS": ",,,operators,snackeaters,partyanimals", "HELM_MAX_HISTORY": "5"},
+			args:       "--debug --namespace=myns --kube-as-user=poro --kube-as-group=admins --kube-as-group=teatime --kube-as-group=snackeaters --kube-ca-file=/my/ca.crt",
+			envvars:    map[string]string{"HELM_DEBUG": "1", "HELM_NAMESPACE": "yourns", "HELM_KUBEASUSER": "pikachu", "HELM_KUBEASGROUPS": ",,,operators,snackeaters,partyanimals", "HELM_MAX_HISTORY": "5", "HELM_KUBECAFILE": "/tmp/ca.crt"},
 			ns:         "myns",
 			debug:      true,
 			maxhistory: 5,
 			kAsUser:    "poro",
 			kAsGroups:  []string{"admins", "teatime", "snackeaters"},
+			kCaFile:    "/my/ca.crt",
 		},
 	}
 
@@ -107,6 +111,9 @@ func TestEnvSettings(t *testing.T) {
 			if !reflect.DeepEqual(tt.kAsGroups, settings.KubeAsGroups) {
 				t.Errorf("expected kAsGroups %+v, got %+v", len(tt.kAsGroups), len(settings.KubeAsGroups))
 			}
+			if tt.kCaFile != settings.KubeCaFile {
+				t.Errorf("expected kCaFile %q, got %q", tt.kCaFile, settings.KubeCaFile)
+			}
 		})
 	}
 }