diff --git a/deployment/modules/aws/tesseract/conformance/main.tf b/deployment/modules/aws/tesseract/conformance/main.tf
index 6d1021453..3ca6fcb39 100644
--- a/deployment/modules/aws/tesseract/conformance/main.tf
+++ b/deployment/modules/aws/tesseract/conformance/main.tf
@@ -175,6 +175,8 @@ resource "aws_ecs_task_definition" "conformance" {
       "--antispam_db_name=${var.antispam_database_name}",
       "--inmemory_antispam_cache_size=256k",
       "--enable_publication_awaiter=true",
+      "--roots_remote_fetch_url=${var.roots_remote_fetch_url}",
+      "--roots_remote_fetch_interval=${var.roots_remote_fetch_interval}",
       "-v=2"
     ],
     "logConfiguration" : {
diff --git a/deployment/modules/aws/tesseract/conformance/variables.tf b/deployment/modules/aws/tesseract/conformance/variables.tf
index 2a1719e5f..f6872ba6c 100644
--- a/deployment/modules/aws/tesseract/conformance/variables.tf
+++ b/deployment/modules/aws/tesseract/conformance/variables.tf
@@ -53,3 +53,15 @@ variable "antispam_database_name" {
   description = "The name of the antispam database."
   type        = string
 }
+
+variable "roots_remote_fetch_url" {
+  description = "URL to fetch trusted roots from."
+  type        = string
+  default     = "https://ccadb.my.salesforce-sites.com/ccadb/RootCACertificatesIncludedByRSReportCSV"
+}
+
+variable "roots_remote_fetch_interval" {
+  description = "Interval between two fetches from roots_fetch_url, e.g. \"1h\"."
+  type        = string
+  default     = "0s"
+}
diff --git a/deployment/modules/gcp/cloudrun/main.tf b/deployment/modules/gcp/cloudrun/main.tf
index f3b908802..24c9fc69e 100644
--- a/deployment/modules/gcp/cloudrun/main.tf
+++ b/deployment/modules/gcp/cloudrun/main.tf
@@ -56,6 +56,8 @@ resource "google_cloud_run_v2_service" "default" {
         "--trace_fraction=${var.trace_fraction}",
         "--batch_max_size=${var.batch_max_size}",
         "--batch_max_age=${var.batch_max_age}",
+        "--roots_remote_fetch_url=${var.roots_remote_fetch_url}",
+        "--roots_remote_fetch_interval=${var.roots_remote_fetch_interval}",
       ]
       ports {
         container_port = 6962
diff --git a/deployment/modules/gcp/cloudrun/variables.tf b/deployment/modules/gcp/cloudrun/variables.tf
index 86bf5d859..4d04e1aab 100644
--- a/deployment/modules/gcp/cloudrun/variables.tf
+++ b/deployment/modules/gcp/cloudrun/variables.tf
@@ -82,3 +82,15 @@ variable "batch_max_age" {
   description = "Maximum age of entries in a single sequencing batch."
   type        = string
 }
+
+variable "roots_remote_fetch_url" {
+  description = "URL to fetch trusted roots from."
+  type        = string
+  default     = "https://ccadb.my.salesforce-sites.com/ccadb/RootCACertificatesIncludedByRSReportCSV"
+}
+
+variable "roots_remote_fetch_interval" {
+  description = "Interval between two fetches from roots_fetch_url, e.g. \"1h\"."
+  type        = string
+  default     = "0s"
+}
diff --git a/deployment/modules/gcp/gce/tesseract/main.tf b/deployment/modules/gcp/gce/tesseract/main.tf
index d070750b5..0ff0fa083 100644
--- a/deployment/modules/gcp/gce/tesseract/main.tf
+++ b/deployment/modules/gcp/gce/tesseract/main.tf
@@ -59,6 +59,8 @@ locals {
     "-accept_sha1_signing_algorithms=true",
     "-rate_limit_old_not_before=${var.rate_limit_old_not_before}",
     "-rate_limit_dedup=${var.rate_limit_dedup}",
+    "-roots_remote_fetch_url=${var.roots_remote_fetch_url}",
+    "-roots_remote_fetch_interval=${var.roots_remote_fetch_interval}",
     var.witness_policy == "" ? "" : "-witness_policy_file=${local.witness_policy_file}",
     length(var.additional_signer_private_key_secret_names) == 0 ? "" : join(" ", formatlist("-additional_signer_private_key_secret_name=%s", var.additional_signer_private_key_secret_names))
   ])
diff --git a/deployment/modules/gcp/gce/tesseract/variables.tf b/deployment/modules/gcp/gce/tesseract/variables.tf
index 43d5d3a35..ba1ef8c0a 100644
--- a/deployment/modules/gcp/gce/tesseract/variables.tf
+++ b/deployment/modules/gcp/gce/tesseract/variables.tf
@@ -134,3 +134,15 @@ variable "accepted_roots" {
   type        = string
   default     = ""
 }
+
+variable "roots_remote_fetch_url" {
+  description = "URL to fetch trusted roots from."
+  type        = string
+  default     = "https://ccadb.my.salesforce-sites.com/ccadb/RootCACertificatesIncludedByRSReportCSV"
+}
+
+variable "roots_remote_fetch_interval" {
+  description = "Interval between two fetches from roots_fetch_url, e.g. \"1h\"."
+  type        = string
+  default     = "0s"
+}
diff --git a/deployment/modules/gcp/tesseract/cloudrun/main.tf b/deployment/modules/gcp/tesseract/cloudrun/main.tf
index ea60582ec..5765ec6a9 100644
--- a/deployment/modules/gcp/tesseract/cloudrun/main.tf
+++ b/deployment/modules/gcp/tesseract/cloudrun/main.tf
@@ -32,6 +32,8 @@ module "cloudrun" {
   trace_fraction                 = var.trace_fraction
   batch_max_age                  = var.batch_max_age
   batch_max_size                 = var.batch_max_size
+  roots_remote_fetch_url         = var.roots_remote_fetch_url
+  roots_remote_fetch_interval    = var.roots_remote_fetch_interval
 
   depends_on = [
     module.storage
diff --git a/deployment/modules/gcp/tesseract/cloudrun/variables.tf b/deployment/modules/gcp/tesseract/cloudrun/variables.tf
index 7229e99a7..06ca587c9 100644
--- a/deployment/modules/gcp/tesseract/cloudrun/variables.tf
+++ b/deployment/modules/gcp/tesseract/cloudrun/variables.tf
@@ -87,4 +87,14 @@ variable "log_private_key_suffix" {
   default     = "-secret"
 }
 
+variable "roots_remote_fetch_url" {
+  description = "URL to fetch trusted roots from."
+  type        = string
+  default     = "https://ccadb.my.salesforce-sites.com/ccadb/RootCACertificatesIncludedByRSReportCSV"
+}
 
+variable "roots_remote_fetch_interval" {
+  description = "Interval between two fetches from roots_fetch_url, e.g. \"1h\"."
+  type        = string
+  default     = "0s"
+}
diff --git a/deployment/modules/gcp/tesseract/gce/main.tf b/deployment/modules/gcp/tesseract/gce/main.tf
index 1a5387cfa..dc293d6cb 100644
--- a/deployment/modules/gcp/tesseract/gce/main.tf
+++ b/deployment/modules/gcp/tesseract/gce/main.tf
@@ -41,6 +41,8 @@ module "gce" {
   witness_policy                             = var.witness_policy
   accepted_roots                             = var.accepted_roots
   health_checks                              = var.gce_health_checks
+  roots_remote_fetch_url                     = var.roots_remote_fetch_url
+  roots_remote_fetch_interval                = var.roots_remote_fetch_interval
 
   depends_on = [
     module.storage
diff --git a/deployment/modules/gcp/tesseract/gce/variables.tf b/deployment/modules/gcp/tesseract/gce/variables.tf
index 8fb6d052b..da91d610f 100644
--- a/deployment/modules/gcp/tesseract/gce/variables.tf
+++ b/deployment/modules/gcp/tesseract/gce/variables.tf
@@ -144,3 +144,15 @@ variable "accepted_roots" {
   type        = string
   default     = ""
 }
+
+variable "roots_remote_fetch_url" {
+  description = "URL to fetch trusted roots from."
+  type        = string
+  default     = "https://ccadb.my.salesforce-sites.com/ccadb/RootCACertificatesIncludedByRSReportCSV"
+}
+
+variable "roots_remote_fetch_interval" {
+  description = "Interval between two fetches from roots_fetch_url, e.g. \"1h\"."
+  type        = string
+  default     = "0s"
+}