diff --git a/Dockerfile b/Dockerfile
index c536af7..2d6d061 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,20 +1,15 @@
 ARG BUILD_IMAGE=gradle:7.4-jdk17
 ARG RUN_IMAGE=quay.io/wildfly/wildfly:26.1.3.Final-jdk17
 ARG ORACLE_DRIVER_PATH=/ojdbc11-21.7.0.0.jar
-ARG CUSTOM_CRT_URL=http://pki.jlab.org/JLabCA.crt
+ARG CUSTOM_CRT_URL="http://crl.acc.jlab.org/acc-ca.crt http://pki.jlab.org/JLabCA.crt"
 
 ################## Stage 0
 FROM ${BUILD_IMAGE} as builder
 ARG CUSTOM_CRT_URL
 USER root
 WORKDIR /
-RUN if [ -z "${CUSTOM_CRT_URL}" ] ; then echo "No custom cert needed"; else \
-       wget -O /usr/local/share/ca-certificates/customcert.crt $CUSTOM_CRT_URL \
-       && update-ca-certificates \
-       && keytool -import -alias custom -file /usr/local/share/ca-certificates/customcert.crt -cacerts -storepass changeit -noprompt \
-       && export OPTIONAL_CERT_ARG=--cert=/etc/ssl/certs/ca-certificates.crt \
-    ; fi
 COPY . /app
+RUN /app/scripts/update-certs-builder.sh ${CUSTOM_CRT_URL}
 
 ## Let's minimize layers in final-product by organizing files into a single copy structure
 RUN mkdir /unicopy \
@@ -23,7 +18,8 @@ RUN mkdir /unicopy \
     && cp /app/scripts/docker-entrypoint.sh /unicopy \
     && cp /app/scripts/server-setup.sh /unicopy \
     && cp /app/scripts/provided-setup.sh /unicopy \
-    && cp /app/scripts/app-setup.sh /unicopy
+    && cp /app/scripts/app-setup.sh /unicopy \
+    && cp /app/scripts/update-certs-runner.sh /unicopy
 
 ################## Stage 1
 FROM ${RUN_IMAGE} as runner
@@ -32,11 +28,7 @@ ARG RUN_USER=jboss:jboss
 ARG ORACLE_DRIVER_PATH
 USER root
 COPY --from=builder /unicopy /
-RUN if [ -z "${CUSTOM_CRT_URL}" ] ; then echo "No custom cert needed"; else \
-       curl -sS -o /etc/pki/ca-trust/source/anchors/customcert.crt $CUSTOM_CRT_URL \
-       && update-ca-trust \
-       && keytool -import -alias custom -file /etc/pki/ca-trust/source/anchors/customcert.crt -cacerts -storepass changeit -noprompt \
-    ; fi \
+RUN /update-certs-runner.sh ${CUSTOM_CRT_URL} \
     && chsh -s /bin/bash jboss \
     && /server-setup.sh /docker-server.env \
     && rm -rf /opt/jboss/wildfly/standalone/configuration/standalone_xml_history
diff --git a/scripts/server-setup.sh b/scripts/server-setup.sh
index 18b0301..0620023 100755
--- a/scripts/server-setup.sh
+++ b/scripts/server-setup.sh
@@ -97,7 +97,7 @@ EOF
 }
 
 apply_elytron_patch() {
-if [[ -z "${APPLY_ELYTRON_PATCH}}" ]]; then
+if [[ -z "${APPLY_ELYTRON_PATCH}" ]]; then
   echo "Skipping elytron patch because APPLY_ELYTRON_PATCH undefined"
   return 0
 fi
@@ -106,7 +106,7 @@ wget -O "${WILDFLY_APP_HOME}/modules/system/layers/base/org/wildfly/security/ely
 }
 
 config_admin_user() {
-if [[ -z "${APPLY_ELYTRON_PATCH}}" ]]; then
+if [[ -z "${APPLY_ELYTRON_PATCH}" ]]; then
   echo "Skipping config admin because WILDFLY_USER undefined"
   return 0
 fi
@@ -118,17 +118,17 @@ config_ssl() {
 if [[ -z "${KEYSTORE_NAME}" ]]; then
   echo "Skipping config ssl because KEYSTORE_NAME undefined"
   return 0
-fi
-
-${WILDFLY_CLI_PATH} -c <<EOF
-batch
-/subsystem=elytron/key-store=httpsKS:add(path=${KEYSTORE_NAME},relative-to=jboss.server.config.dir,credential-reference={clear-text=${KEYSTORE_PASS}},type=PKCS12)
-/subsystem=elytron/key-manager=httpsKM:add(key-store=httpsKS,credential-reference={clear-text=${KEYSTORE_PASS}})
-/subsystem=elytron/server-ssl-context=httpsSSC:add(key-manager=httpsKM,protocols=["TLSv1.2"])
-/subsystem=undertow/server=default-server/https-listener=https:undefine-attribute(name=security-realm)
-/subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=ssl-context,value=httpsSSC)
-run-batch
+else
+  ${WILDFLY_CLI_PATH} -c <<EOF
+  batch
+  /subsystem=elytron/key-store=httpsKS:add(path=${KEYSTORE_NAME},relative-to=jboss.server.config.dir,credential-reference={clear-text=${KEYSTORE_PASS}},type=PKCS12)
+  /subsystem=elytron/key-manager=httpsKM:add(key-store=httpsKS,credential-reference={clear-text=${KEYSTORE_PASS}})
+  /subsystem=elytron/server-ssl-context=httpsSSC:add(key-manager=httpsKM,protocols=["TLSv1.2"])
+  /subsystem=undertow/server=default-server/https-listener=https:undefine-attribute(name=security-realm)
+  /subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=ssl-context,value=httpsSSC)
+  run-batch
 EOF
+fi
 }
 
 config_proxy() {
diff --git a/scripts/update-certs-builder.sh b/scripts/update-certs-builder.sh
new file mode 100644
index 0000000..efa1aba
--- /dev/null
+++ b/scripts/update-certs-builder.sh
@@ -0,0 +1,25 @@
+#!/bin/bash
+
+# All arguments are treated as certificates
+CUSTOM_CRT_URL="$*"
+
+if [ -z "${CUSTOM_CRT_URL}" ] ; then
+  echo "No custom certs passed.  Nothing to update"
+  exit 0
+fi
+
+for cert in $CUSTOM_CRT_URL
+do
+  echo Downloading "$cert"
+  name=$(echo "$cert" | rev | cut -f1 -d"/" | rev | cut -f1 -d'.') || exit 1
+  wget -O "/usr/local/share/ca-certificates/custom-${name}.crt" "$cert" || exit 1
+done
+
+update-ca-certificates || exit 1
+
+for cert in $CUSTOM_CRT_URL
+do
+  echo Importing "$cert"
+  name=$(echo "$cert" | rev | cut -f1 -d"/" | rev | cut -f1 -d'.') || exit 1
+  keytool -import -alias "custom_${name}" -file "/usr/local/share/ca-certificates/custom-${name}.crt" -cacerts -storepass changeit -noprompt || exit 1
+done
diff --git a/scripts/update-certs-runner.sh b/scripts/update-certs-runner.sh
new file mode 100644
index 0000000..a4adf58
--- /dev/null
+++ b/scripts/update-certs-runner.sh
@@ -0,0 +1,25 @@
+#!/bin/bash
+
+# All arguments are treated as certificates
+CUSTOM_CRT_URL="$*"
+
+if [ -z "${CUSTOM_CRT_URL}" ] ; then
+  echo "No custom certs passed.  Nothing to update"
+  exit 0
+fi
+
+for cert in $CUSTOM_CRT_URL
+do
+  echo Downloading "$cert"
+  name=$(echo "$cert" | rev | cut -f1 -d"/" | rev | cut -f1 -d'.')
+  curl -sS -o "/etc/pki/ca-trust/source/anchors/custom-${name}.crt" "$cert"  || exit 1
+done
+
+update-ca-trust || exit 1
+
+for cert in $CUSTOM_CRT_URL
+do
+  echo Importing "$cert"
+  name=$(echo "$cert" | rev | cut -f1 -d"/" | rev | cut -f1 -d'.')
+  keytool -import -alias "custom_${name}" -file "/etc/pki/ca-trust/source/anchors/custom-${name}.crt" -cacerts -storepass changeit -noprompt || exit 1
+done