diff --git a/components/mbedtls/CMakeLists.txt b/components/mbedtls/CMakeLists.txt
index 3d2ad9d855..a162a0a3ab 100644
--- a/components/mbedtls/CMakeLists.txt
+++ b/components/mbedtls/CMakeLists.txt
@@ -45,6 +45,12 @@ if(CONFIG_MBEDTLS_CERTIFICATE_BUNDLE)
         list(APPEND args --filter ${DEFAULT_CRT_DIR}/cmn_crt_authorities.csv)
     endif()
 
+    # Add deprecated root certs if enabled. This config is not visible if the default cert
+    # bundle is not selected
+    if(CONFIG_MBEDTLS_CERTIFICATE_BUNDLE_DEPRECATED_LIST)
+        list(APPEND crt_paths ${DEFAULT_CRT_DIR}/cacrt_deprecated.pem)
+    endif()
+
     if(CONFIG_MBEDTLS_CUSTOM_CERTIFICATE_BUNDLE)
         get_filename_component(custom_bundle_path
         ${CONFIG_MBEDTLS_CUSTOM_CERTIFICATE_BUNDLE_PATH} ABSOLUTE BASE_DIR "${project_dir}")
diff --git a/components/mbedtls/Kconfig b/components/mbedtls/Kconfig
index e618261230..8fc0f0eb2b 100644
--- a/components/mbedtls/Kconfig
+++ b/components/mbedtls/Kconfig
@@ -348,6 +348,21 @@ menu "mbedTLS"
                 Name of the custom certificate directory or file. This path is evaluated
                 relative to the project root directory.
 
+        config MBEDTLS_CERTIFICATE_BUNDLE_DEPRECATED_LIST
+            bool "Add deprecated root certificates"
+            depends on MBEDTLS_CERTIFICATE_BUNDLE && !MBEDTLS_CERTIFICATE_BUNDLE_DEFAULT_NONE
+            help
+                Include the deprecated list of root certificates in the bundle.
+                This list gets updated when a certificate is removed from the Mozilla's
+                NSS root certificate store. This config can be enabled if you would like
+                to ensure that none of the certificates that were deployed in the product
+                are affected because of the update to bundle. In turn, enabling this
+                config keeps expired, retracted certificates in the bundle and it may
+                pose a security risk.
+
+                - Deprecated cert list may grow based based on sync with upstream bundle
+                - Deprecated certs would be be removed in ESP-IDF (next) major release
+
         config MBEDTLS_CERTIFICATE_BUNDLE_MAX_CERTS
             int "Maximum no of certificates allowed in certificate bundle"
             default 200
diff --git a/examples/protocols/https_request/sdkconfig.ci b/examples/protocols/https_request/sdkconfig.ci
index 5577f9549a..9f61f58c61 100644
--- a/examples/protocols/https_request/sdkconfig.ci
+++ b/examples/protocols/https_request/sdkconfig.ci
@@ -10,3 +10,4 @@ CONFIG_EXAMPLE_ETH_PHY_RST_GPIO=5
 CONFIG_EXAMPLE_ETH_PHY_ADDR=1
 CONFIG_EXAMPLE_CONNECT_IPV6=y
 CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS=y
+CONFIG_MBEDTLS_CERTIFICATE_BUNDLE_DEPRECATED_LIST=y