diff --git a/lib/puppet_x/bodeco/util.rb b/lib/puppet_x/bodeco/util.rb
index b1cda769..eee439ae 100644
--- a/lib/puppet_x/bodeco/util.rb
+++ b/lib/puppet_x/bodeco/util.rb
@@ -80,7 +80,22 @@ def initialize(_url, options)
           @proxy_port = uri.port
         end
 
-        ENV['SSL_CERT_FILE'] = File.expand_path(File.join(__FILE__, '..', 'cacert.pem')) if Facter.value(:osfamily) == 'windows' && !ENV.key?('SSL_CERT_FILE')
+        @osfamily = Facter.value(:osfamily)
+        if @osfamily == 'windows'
+          # Get the 'ssl_trust_store' setting from the puppet agent
+          Puppet.settings.preferred_run_mode = :agent
+          puppet_ssl_trust_store = Puppet.settings.to_h[:ssl_trust_store].value || nil
+
+          # Prefer 'ssl_trust_store' from the puppet agent, then SSL_CERT_FILE from the
+          # environment, and the bundled pem file as a last resort
+          @ssl_trust_store = if puppet_ssl_trust_store && File.exist?(puppet_ssl_trust_store)
+                               puppet_ssl_trust_store
+                             elsif ENV.key?('SSL_CERT_FILE')
+                               ENV['SSL_CERT_FILE']
+                             else
+                               File.expand_path(File.join(__FILE__, '..', 'cacert.pem'))
+                             end
+        end
       end
 
       def generate_request(uri)
@@ -98,6 +113,7 @@ def follow_redirect(uri, option = { limit: FOLLOW_LIMIT }, &block)
                     else
                       { use_ssl: false }
                     end
+        http_opts[:ca_file] = @ssl_trust_store if @osfamily == 'windows'
         Net::HTTP.start(uri.host, uri.port, @proxy_addr, @proxy_port, http_opts) do |http|
           http.request(generate_request(uri)) do |response|
             case response