diff --git a/components/esp_http_client/esp_http_client.c b/components/esp_http_client/esp_http_client.c
index 4137415628..9359bd447d 100644
--- a/components/esp_http_client/esp_http_client.c
+++ b/components/esp_http_client/esp_http_client.c
@@ -630,7 +630,13 @@ esp_http_client_handle_t esp_http_client_init(const esp_http_client_config_t *co
         goto error;
     }
 
-    if (config->use_global_ca_store == true) {
+    if (config->crt_bundle_attach != NULL) {
+#ifdef CONFIG_MBEDTLS_CERTIFICATE_BUNDLE
+        esp_transport_ssl_crt_bundle_attach(ssl, config->crt_bundle_attach);
+#else //CONFIG_MBEDTLS_CERTIFICATE_BUNDLE
+        ESP_LOGE(TAG, "use_crt_bundle configured but not enabled in menuconfig: Please enable MBEDTLS_CERTIFICATE_BUNDLE option");
+#endif
+    } else if (config->use_global_ca_store == true) {
         esp_transport_ssl_enable_global_ca_store(ssl);
     } else if (config->cert_pem) {
         esp_transport_ssl_set_cert_data(ssl, config->cert_pem, strlen(config->cert_pem));
diff --git a/components/esp_http_client/include/esp_http_client.h b/components/esp_http_client/include/esp_http_client.h
index b18e8d0f8a..f5f8eee13d 100644
--- a/components/esp_http_client/include/esp_http_client.h
+++ b/components/esp_http_client/include/esp_http_client.h
@@ -133,6 +133,8 @@ typedef struct {
     bool                        is_async;                 /*!< Set asynchronous mode, only supported with HTTPS for now */
     bool                        use_global_ca_store;      /*!< Use a global ca_store for all the connections in which this bool is set. */
     bool                        skip_cert_common_name_check;    /*!< Skip any validation of server certificate CN field */
+    esp_err_t (*crt_bundle_attach)(void *conf);      /*!< Function pointer to esp_crt_bundle_attach. Enables the use of certification
+                                                          bundle for server verification, must be enabled in menuconfig */
     bool                        keep_alive_enable;   /*!< Enable keep-alive timeout */
     int                         keep_alive_idle;     /*!< Keep-alive idle time. Default is 5 (second) */
     int                         keep_alive_interval; /*!< Keep-alive interval time. Default is 5 (second) */
diff --git a/components/esp_https_ota/src/esp_https_ota.c b/components/esp_https_ota/src/esp_https_ota.c
index 6558bbab91..91fdfaaa88 100644
--- a/components/esp_https_ota/src/esp_https_ota.c
+++ b/components/esp_https_ota/src/esp_https_ota.c
@@ -160,6 +160,12 @@ static esp_err_t _ota_write(esp_https_ota_t *https_ota_handle, const void *buffe
     return err;
 }
 
+static bool is_server_verification_enabled(esp_https_ota_config_t *ota_config) {
+    return  (ota_config->http_config->cert_pem
+            || ota_config->http_config->use_global_ca_store
+            || !(ota_config->http_config->crt_bundle_attach == NULL));
+}
+
 esp_err_t esp_https_ota_begin(esp_https_ota_config_t *ota_config, esp_https_ota_handle_t *handle)
 {
     esp_err_t err;
@@ -173,8 +179,8 @@ esp_err_t esp_https_ota_begin(esp_https_ota_config_t *ota_config, esp_https_ota_
     }
 
 #if !CONFIG_OTA_ALLOW_HTTP
-    if (!ota_config->http_config->cert_pem) {
-        ESP_LOGE(TAG, "Server certificate not found in esp_http_client config");
+    if (!is_server_verification_enabled(ota_config)) {
+        ESP_LOGE(TAG, "No option for server verification is enabled in esp_http_client config.");
         *handle = NULL;
         return ESP_ERR_INVALID_ARG;
     }
diff --git a/components/tcp_transport/include/esp_transport_ssl.h b/components/tcp_transport/include/esp_transport_ssl.h
index 2711abf330..3b7ab22c86 100644
--- a/components/tcp_transport/include/esp_transport_ssl.h
+++ b/components/tcp_transport/include/esp_transport_ssl.h
@@ -52,6 +52,16 @@ void esp_transport_ssl_set_cert_data(esp_transport_handle_t t, const char *data,
  */
 void esp_transport_ssl_set_cert_data_der(esp_transport_handle_t t, const char *data, int len);
 
+/**
+ * @brief      Enable the use of certification bundle for server verfication for
+ *             an SSL connection.
+ *             It must be first enabled in menuconfig.
+ *
+ * @param      t    ssl transport
+ * @param[in]  crt_bundle_attach    Function pointer to esp_crt_bundle_attach
+ */
+void esp_transport_ssl_crt_bundle_attach(esp_transport_handle_t t, esp_err_t ((*crt_bundle_attach)(void *conf)));
+
 /**
  * @brief      Enable global CA store for SSL connection
  *
@@ -141,14 +151,12 @@ void esp_transport_ssl_skip_common_name_check(esp_transport_handle_t t);
  */
 void esp_transport_ssl_use_secure_element(esp_transport_handle_t t);
 
-
 /**
  * @brief      Set the ds_data handle in ssl context.(used for the digital signature operation)
  *
  * @param      t        ssl transport
  *             ds_data  the handle for ds data params
  */
-
 void esp_transport_ssl_set_ds_data(esp_transport_handle_t t, void *ds_data);
 
 /**
diff --git a/components/tcp_transport/transport_ssl.c b/components/tcp_transport/transport_ssl.c
index 573782e64b..214f877dd4 100644
--- a/components/tcp_transport/transport_ssl.c
+++ b/components/tcp_transport/transport_ssl.c
@@ -304,6 +304,14 @@ void esp_transport_ssl_use_secure_element(esp_transport_handle_t t)
 }
 #endif
 
+void esp_transport_ssl_crt_bundle_attach(esp_transport_handle_t t, esp_err_t ((*crt_bundle_attach)(void *conf)))
+{
+    transport_ssl_t *ssl = esp_transport_get_context_data(t);
+    if (t && ssl) {
+        ssl->cfg.crt_bundle_attach = crt_bundle_attach;
+    }
+}
+
 static int ssl_get_socket(esp_transport_handle_t t)
 {
     if (t) {