diff --git a/image/scanner/rhel/create-bundle.sh b/image/scanner/rhel/create-bundle.sh
index 993fee6b7..dac612a3c 100755
--- a/image/scanner/rhel/create-bundle.sh
+++ b/image/scanner/rhel/create-bundle.sh
@@ -41,7 +41,6 @@ cp "${INPUT_ROOT}/scripts/entrypoint.sh"               "${OUTPUT_DIR}/scripts"
 cp "${INPUT_ROOT}/scripts/import-additional-cas"       "${OUTPUT_DIR}/scripts"
 cp "${INPUT_ROOT}/scripts/restore-all-dir-contents"    "${OUTPUT_DIR}/scripts"
 cp "${INPUT_ROOT}/scripts/save-dir-contents"           "${OUTPUT_DIR}/scripts"
-cp "${INPUT_ROOT}/scripts/trust-root-ca"               "${OUTPUT_DIR}/scripts"
 
 # =============================================================================
 # Add binaries and data files to be included in the Dockerfile here. This
diff --git a/image/scanner/scripts/entrypoint.sh b/image/scanner/scripts/entrypoint.sh
index 152964903..c0bc81c98 100755
--- a/image/scanner/scripts/entrypoint.sh
+++ b/image/scanner/scripts/entrypoint.sh
@@ -4,6 +4,5 @@ set -euo pipefail
 
 /restore-all-dir-contents
 /import-additional-cas
-/trust-root-ca
 
 exec /scanner
diff --git a/image/scanner/scripts/import-additional-cas b/image/scanner/scripts/import-additional-cas
index def33dfa8..d3bfe544a 100755
--- a/image/scanner/scripts/import-additional-cas
+++ b/image/scanner/scripts/import-additional-cas
@@ -22,6 +22,14 @@ copy_existing /usr/local/share/ca-certificates
 # Copy the custom trusted CA bundles injected by the Openshift Network Operator.
 copy_existing /etc/pki/injected-ca-trust
 
+# Copy the StackRox root CA if available (mounted by the operator).
+# Only copy ca.pem — the mount also contains server cert and key which
+# should not be added as trusted CA anchors.
+CA_PATH="/run/secrets/stackrox.io/certs/ca.pem"
+echo "Copying StackRox root CA from '${CA_PATH}'"
+# For RHEL
+cp "${CA_PATH}" /etc/pki/ca-trust/source/anchors/root-ca.pem
+
 echo "Updating CA trust"
 # Though /etc/pki/ca-trust/extracted is the default output, update-ca-trust
 # will create the necessary directories with the required permissions if the `--output` flag is used.
diff --git a/image/scanner/scripts/trust-root-ca b/image/scanner/scripts/trust-root-ca
deleted file mode 100755
index 548ff8c90..000000000
--- a/image/scanner/scripts/trust-root-ca
+++ /dev/null
@@ -1,16 +0,0 @@
-#!/usr/bin/env bash
-
-set -euo pipefail
-
-CA_PATH="/run/secrets/stackrox.io/certs/ca.pem"
-
-# For RHEL
-cp "${CA_PATH}" /etc/pki/ca-trust/source/anchors/root-ca.pem
-
-# Though /etc/pki/ca-trust/extracted is the default output, update-ca-trust
-# will create the necessary directories with the required permissions if the `--output` flag is used.
-# See https://bugzilla.redhat.com/show_bug.cgi?id=2241240 for background.
-#
-# tl,dr: update-ca-trust extract, when giving the `--output` flag behaves differently with respect
-# to filesystem permissions and this is the behaviour we need for containerized environments.
-update-ca-trust extract --output /etc/pki/ca-trust/extracted