diff --git a/README.md b/README.md
index b778b7b44a8..cb4cfd45682 100644
--- a/README.md
+++ b/README.md
@@ -75,6 +75,7 @@ In order to deploy both the stacks the user needs to provide a set of required a
 | customRoleArn                 | Optional    | string                                                                    | User provided IAM role arn to be used as ec2 instance profile. `-c customRoleArn=arn:aws:iam::<AWS_ACCOUNT_ID>:role/<ROLE_NAME>`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
 | customConfigFiles             | Optional    | string                                                                    | You can provide an entire config file to be overwritten or added to OpenSearch and OpenSearch Dashboards. Pass string in the form of JSON with key as local path to the config file to read from and value as file on the server to overwrite/add. Note that the values in the JSON needs to have prefix of `opensearch` or `opensearch-dashboards`. Example: `-c customConfigFiles='{"opensearch-config/config.yml": "opensearch/config/opensearch-security/config.yml", "opensearch-config/role_mapping.yml":"opensearch/config/opensearch-security/roles_mapping.yml", "/roles.yml": "opensearch/config/opensearch-security/roles.yml"}'` |
 | enableMonitoring              | Optional    | boolean                                                                   | Boolean flag to enable monitoring and alarms for Infra Stack. See [InfraStackMonitoring class](./lib/monitoring/alarms.ts) for more details.  Defaults to false  e.g., `--context enableMonitoring=true`                                                                                                                                                                                                                                                                                                                                                                                                                                     |
+| certificateArn | Optional | string | Add ACM certificate to the listener. e.g., `--context certificateArn=arn:1234` |
 
 * Before starting this step, ensure that your AWS CLI is correctly configured with access credentials.
 * Also ensure that you're running these commands in the current directory
diff --git a/lib/infra/infra-stack.ts b/lib/infra/infra-stack.ts
index a07ea94a538..cd2fbf9f151 100644
--- a/lib/infra/infra-stack.ts
+++ b/lib/infra/infra-stack.ts
@@ -28,7 +28,9 @@ import {
   MachineImage,
   SubnetType,
 } from 'aws-cdk-lib/aws-ec2';
-import { NetworkListener, NetworkLoadBalancer, Protocol } from 'aws-cdk-lib/aws-elasticloadbalancingv2';
+import {
+  ListenerCertificate, NetworkListener, NetworkLoadBalancer, Protocol,
+} from 'aws-cdk-lib/aws-elasticloadbalancingv2';
 import { InstanceTarget } from 'aws-cdk-lib/aws-elasticloadbalancingv2-targets';
 import {
   ManagedPolicy, Role,
@@ -124,6 +126,8 @@ export interface InfraProps extends StackProps {
   readonly customConfigFiles?: string,
   /** Whether to enable monioring with alarms */
   readonly enableMonitoring?: boolean,
+   /** Certificate ARN to attach to the listener */
+   readonly certificateArn ?: string
 }
 
 export class InfraStack extends Stack {
@@ -381,6 +385,8 @@ export class InfraStack extends Stack {
     const defaultInstanceType = (instanceCpuType === AmazonLinuxCpuType.X86_64)
       ? InstanceType.of(InstanceClass.C5, InstanceSize.XLARGE) : InstanceType.of(InstanceClass.C6G, InstanceSize.XLARGE);
 
+    const certificateArn = `${props?.certificateArn ?? scope.node.tryGetContext('certificateArn')}`;
+
     const nlb = new NetworkLoadBalancer(this, 'clusterNlb', {
       vpc: props.vpc,
       internetFacing: (!this.isInternal),
@@ -392,6 +398,9 @@ export class InfraStack extends Stack {
         port: 443,
         protocol: Protocol.TCP,
       });
+      if (certificateArn !== 'undefined') {
+        opensearchListener.addCertificates('cert', [ListenerCertificate.fromArn(certificateArn)]);
+      }
     } else {
       opensearchListener = nlb.addListener('opensearch', {
         port: 80,
diff --git a/test/opensearch-cluster-cdk.test.ts b/test/opensearch-cluster-cdk.test.ts
index 62ae2046efb..511efa39254 100644
--- a/test/opensearch-cluster-cdk.test.ts
+++ b/test/opensearch-cluster-cdk.test.ts
@@ -827,3 +827,42 @@ test('Test additionalConfig overriding values', () => {
     },
   });
 });
+
+test('Test certificate addition', () => {
+  const app = new App({
+    context: {
+      securityDisabled: false,
+      minDistribution: false,
+      distributionUrl: 'www.example.com',
+      cpuArch: 'x64',
+      singleNodeCluster: false,
+      dashboardsUrl: 'www.example.com',
+      distVersion: '1.0.0',
+      serverAccessType: 'ipv4',
+      restrictServerAccessTo: 'all',
+      certificateArn: 'arn:1234',
+    },
+  });
+
+  // WHEN
+  const networkStack = new NetworkStack(app, 'opensearch-network-stack', {
+    env: { account: 'test-account', region: 'us-east-1' },
+  });
+
+  // @ts-ignore
+  const infraStack = new InfraStack(app, 'opensearch-infra-stack', {
+    vpc: networkStack.vpc,
+    securityGroup: networkStack.osSecurityGroup,
+    env: { account: 'test-account', region: 'us-east-1' },
+  });
+
+  // THEN
+  const infraTemplate = Template.fromStack(infraStack);
+  infraTemplate.hasResourceProperties('AWS::ElasticLoadBalancingV2::Listener', {
+    Certificates: [
+      {
+        CertificateArn: 'arn:1234',
+      },
+    ],
+  });
+});