diff --git a/.gitmodules b/.gitmodules
index aaa66caf71821..d36613d604786 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -153,3 +153,6 @@
 [submodule "ports/esp32s2/esp-idf"]
 	path = ports/esp32s2/esp-idf
 	url = https://github.com/jepler/esp-idf.git
+[submodule "ports/esp32s2/certificates/nina-fw"]
+	path = ports/esp32s2/certificates/nina-fw
+	url = https://github.com/adafruit/nina-fw.git
diff --git a/conf.py b/conf.py
index 1d4c420481891..1a90b617b8d74 100644
--- a/conf.py
+++ b/conf.py
@@ -172,6 +172,7 @@
                     "ports/atmel-samd/tools",
                     "ports/cxd56/mkspk",
                     "ports/cxd56/spresense-exported-sdk",
+                    "ports/esp32s2/certificates",
                     "ports/esp32s2/esp-idf",
                     "ports/esp32s2/peripherals",
                     "ports/litex/hw",
diff --git a/ports/esp32s2/certificates/README.md b/ports/esp32s2/certificates/README.md
new file mode 100644
index 0000000000000..dd5cf25b00a01
--- /dev/null
+++ b/ports/esp32s2/certificates/README.md
@@ -0,0 +1,3 @@
+We share root certificates with the nina-fw to ensure they both use the same roots.
+
+https://github.com/adafruit/nina-fw
diff --git a/ports/esp32s2/certificates/nina-fw b/ports/esp32s2/certificates/nina-fw
new file mode 160000
index 0000000000000..f2a0e601b2321
--- /dev/null
+++ b/ports/esp32s2/certificates/nina-fw
@@ -0,0 +1 @@
+Subproject commit f2a0e601b23212dda4fe305eab30af49a7c7fb41
diff --git a/ports/esp32s2/esp-idf-config/sdkconfig.defaults b/ports/esp32s2/esp-idf-config/sdkconfig.defaults
index 025b05caa681a..53b169e39e01c 100644
--- a/ports/esp32s2/esp-idf-config/sdkconfig.defaults
+++ b/ports/esp32s2/esp-idf-config/sdkconfig.defaults
@@ -575,10 +575,11 @@ CONFIG_MBEDTLS_DYNAMIC_FREE_CONFIG_DATA=y
 # Certificate Bundle
 #
 CONFIG_MBEDTLS_CERTIFICATE_BUNDLE=y
-CONFIG_MBEDTLS_CERTIFICATE_BUNDLE_DEFAULT_FULL=y
+# CONFIG_MBEDTLS_CERTIFICATE_BUNDLE_DEFAULT_FULL is not set
 # CONFIG_MBEDTLS_CERTIFICATE_BUNDLE_DEFAULT_CMN is not set
-# CONFIG_MBEDTLS_CERTIFICATE_BUNDLE_DEFAULT_NONE is not set
-# CONFIG_MBEDTLS_CUSTOM_CERTIFICATE_BUNDLE is not set
+CONFIG_MBEDTLS_CERTIFICATE_BUNDLE_DEFAULT_NONE=y
+CONFIG_MBEDTLS_CUSTOM_CERTIFICATE_BUNDLE=y
+CONFIG_MBEDTLS_CUSTOM_CERTIFICATE_BUNDLE_PATH="certificates/nina-fw/data/roots.pem"
 # end of Certificate Bundle
 
 # CONFIG_MBEDTLS_ECP_RESTARTABLE is not set