diff --git a/deployments/ratify-gatekeeper-provider/templates/executor.yaml b/deployments/ratify-gatekeeper-provider/templates/executor.yaml
index 91b22b567..d5eaea6bf 100644
--- a/deployments/ratify-gatekeeper-provider/templates/executor.yaml
+++ b/deployments/ratify-gatekeeper-provider/templates/executor.yaml
@@ -30,6 +30,19 @@ spec:
           username: "{{ .credential.username }}"
           password: "{{ .credential.password }}"
           {{- end }}
+        {{- if .plainHttp }}
+        {{- if or .caBase64 .caPem }}
+        {{- fail (printf "store with scopes %v: plainHttp cannot be combined with caBase64/caPem (no TLS over plain HTTP)" .scopes) }}
+        {{- end }}
+        plainHttp: true
+        {{- else }}
+        {{- if .caPem }}
+        caPem: {{ .caPem | quote }}
+        {{- end }}
+        {{- if .caBase64 }}
+        caBase64: {{ .caBase64 | quote }}
+        {{- end }}
+        {{- end }}
         {{- if eq (include "ratify.cosignConfigured" $root) "true" }}
         allowCosignTag: true
         {{- end }}
diff --git a/deployments/ratify-gatekeeper-provider/values.yaml b/deployments/ratify-gatekeeper-provider/values.yaml
index f9f704383..ccbbaf1dc 100644
--- a/deployments/ratify-gatekeeper-provider/values.yaml
+++ b/deployments/ratify-gatekeeper-provider/values.yaml
@@ -43,6 +43,7 @@ cosign:
 
 stores:
   - scopes: []
+    plainHttp: false # set to true for registries that do not use TLS (e.g. local development)
     caBase64: "" # base64 encoded CA certificate, used for TLS verification, e.g. "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCg=="
     caPem: "" # PEM encoded CA certificate, used for TLS verification, e.g. "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----"
     # if both caBase64 and caPem are provided, caPem will be used