diff --git a/pkg/config/v1/plugin.go b/pkg/config/v1/plugin.go
index cdf3cf26..eca7bab8 100644
--- a/pkg/config/v1/plugin.go
+++ b/pkg/config/v1/plugin.go
@@ -103,6 +103,7 @@ type HTTP2HTTPSPluginOptions struct {
 	LocalAddr         string           `json:"localAddr,omitempty"`
 	HostHeaderRewrite string           `json:"hostHeaderRewrite,omitempty"`
 	RequestHeaders    HeaderOperations `json:"requestHeaders,omitempty"`
+	RootCA            string           `json:"rootCA,omitempty"`
 }
 
 func (o *HTTP2HTTPSPluginOptions) Complete() {}
@@ -137,6 +138,7 @@ type HTTPS2HTTPSPluginOptions struct {
 	EnableHTTP2       *bool            `json:"enableHTTP2,omitempty"`
 	CrtPath           string           `json:"crtPath,omitempty"`
 	KeyPath           string           `json:"keyPath,omitempty"`
+	RootCA            string           `json:"rootCA,omitempty"`
 }
 
 func (o *HTTPS2HTTPSPluginOptions) Complete() {
diff --git a/pkg/plugin/client/http2https.go b/pkg/plugin/client/http2https.go
index 66f90989..5f1d5fc7 100644
--- a/pkg/plugin/client/http2https.go
+++ b/pkg/plugin/client/http2https.go
@@ -19,11 +19,13 @@ package plugin
 import (
 	"context"
 	"crypto/tls"
+	"crypto/x509"
 	"io"
 	stdlog "log"
 	"net"
 	"net/http"
 	"net/http/httputil"
+	"os"
 
 	"github.com/fatedier/golib/pool"
 
@@ -53,8 +55,23 @@ func NewHTTP2HTTPSPlugin(options v1.ClientPluginOptions) (Plugin, error) {
 		l:    listener,
 	}
 
-	tr := &http.Transport{
-		TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+	tr := &http.Transport{}
+
+	if opts.RootCA != "" {
+		caCert, err := os.ReadFile(opts.RootCA)
+		if err != nil {
+			return nil, err
+		}
+		caCertPool, err := x509.SystemCertPool()
+		if err != nil {
+			return nil, err
+		}
+		caCertPool.AppendCertsFromPEM(caCert)
+		tr.TLSClientConfig = &tls.Config{
+			RootCAs: caCertPool,
+		}
+	} else {
+		tr.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
 	}
 
 	rp := &httputil.ReverseProxy{
diff --git a/pkg/plugin/client/https2https.go b/pkg/plugin/client/https2https.go
index 8121e094..5819cda4 100644
--- a/pkg/plugin/client/https2https.go
+++ b/pkg/plugin/client/https2https.go
@@ -19,12 +19,14 @@ package plugin
 import (
 	"context"
 	"crypto/tls"
+	"crypto/x509"
 	"fmt"
 	"io"
 	stdlog "log"
 	"net"
 	"net/http"
 	"net/http/httputil"
+	"os"
 	"time"
 
 	"github.com/fatedier/golib/pool"
@@ -58,8 +60,23 @@ func NewHTTPS2HTTPSPlugin(options v1.ClientPluginOptions) (Plugin, error) {
 		l:    listener,
 	}
 
-	tr := &http.Transport{
-		TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+	tr := &http.Transport{}
+
+	if opts.RootCA != "" {
+		caCert, err := os.ReadFile(opts.RootCA)
+		if err != nil {
+			return nil, err
+		}
+		caCertPool, err := x509.SystemCertPool()
+		if err != nil {
+			return nil, err
+		}
+		caCertPool.AppendCertsFromPEM(caCert)
+		tr.TLSClientConfig = &tls.Config{
+			RootCAs: caCertPool,
+		}
+	} else {
+		tr.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
 	}
 
 	rp := &httputil.ReverseProxy{