diff --git a/design/authenticators/authn_oidc/oidc_configuration_enhancements.md b/design/authenticators/authn_oidc/oidc_configuration_enhancements.md
index 89c321cd9b..629005b30d 100644
--- a/design/authenticators/authn_oidc/oidc_configuration_enhancements.md
+++ b/design/authenticators/authn_oidc/oidc_configuration_enhancements.md
@@ -8,9 +8,54 @@ There have been multiple instances where users of the OIDC authenticator have ex
 - Limited ability to debug OIDC-related HTTP errors
 
 ## Solution
-An existing workaround for the CA cert issue mentioned previously involves a user manually updating the OpenSSL truststore in the container to include any custom CA certs. 
+It would be more consistent with other authenticator configs if authn-oidc were to support a `ca-cert` variable in the authenticator policy. This value would be used to inform the HTTP client which CA cert(s) to use to verify the connection with an OIDC provider and/or any proxies that sit in the middle. An authenticator policy featuring this variable may look like:
+```
+- !policy
+  id: conjur
+  body:
+    - !policy
+      id: authn-oidc
+      body:
+        - !policy
+          id: okta
+          body:
+          - !webservice
+
+          - !variable provider-uri
+          - !variable client-id
+          - !variable client-secret
+
+          # URI of Conjur instance
+          - !variable redirect_uri
+
+          # Defines the JWT claim to use as the Conjur identifier
+          - !variable claim-mapping
+
+          # Nonce and State are random strings generated to supply an
+          # additional layer of security. These values should be generated when the
+          # authenticator is created.
+          - !variable nonce
+          - !variable state
+
+          # Defines the CA cert (or chain) to be used for TLS verification with the
+          # OIDC provider and/or proxy
+          - !variable ca-cert
+
+          # Group with permission to authenticate
+          - !group
+            id: authenticatable
+            annotations:
+              description: Users who can authenticate using this authenticator
+
+          - !permit
+            role: !group authenticatable
+            privilege: [ read, authenticate ]
+            resource: !webservice
+```
+
 
-We can leverage this idea in Conjur to do the same thing on the fly. A simple wrapper method which creates a temporary truststore in the container and sets the OpenSSL environment variable `SSL_CERT_FILE` to point to this tempfile should be sufficient. Cleanup involves unsetting or resetting the environment variable to its original value, and ensuring that the tempfile has been cleaned up after code execution.
+## Implementation
+An existing workaround for the CA cert issue mentioned previously involves a user manually updating the OpenSSL truststore in the container to include any custom CA certs. We can leverage this idea in Conjur to do the same thing on the fly. A simple wrapper method which creates a temporary truststore in the container and sets the OpenSSL environment variable `SSL_CERT_FILE` to point to this tempfile should be sufficient. Cleanup involves unsetting or resetting the environment variable to its original value, and ensuring that the tempfile has been cleaned up after code execution.
 
 An example of what this wrapper method may look like:
 ```ruby