diff --git a/pkg/cidata/cidata.TEMPLATE.d/user-data b/pkg/cidata/cidata.TEMPLATE.d/user-data
index ada882fd040..26060b0c1c0 100644
--- a/pkg/cidata/cidata.TEMPLATE.d/user-data
+++ b/pkg/cidata/cidata.TEMPLATE.d/user-data
@@ -66,6 +66,7 @@ resolv_conf:
 {{ with .CACerts }}
 ca_certs:
   remove_defaults: {{ .RemoveDefaults }}
+  {{- if .Trusted}}
   trusted:
   {{- range $cert := .Trusted }}
   - |
@@ -73,6 +74,7 @@ ca_certs:
     {{ $line }}
     {{- end }}
   {{- end }}
+  {{- end }}
 {{- end }}
 
 {{- if .BootCmds }}
diff --git a/pkg/cidata/template.go b/pkg/cidata/template.go
index dbd17a7c389..b9aa9618820 100644
--- a/pkg/cidata/template.go
+++ b/pkg/cidata/template.go
@@ -112,6 +112,9 @@ func ValidateTemplateArgs(args TemplateArgs) error {
 			return fmt.Errorf("field mounts[%d] must be absolute, got %q", i, f)
 		}
 	}
+	if args.CACerts.RemoveDefaults == nil {
+		return errors.New("field CACerts.RemoveDefaults must be set")
+	}
 	return nil
 }
 
diff --git a/pkg/cidata/template_test.go b/pkg/cidata/template_test.go
index f09f0225db4..a8ae1cc895d 100644
--- a/pkg/cidata/template_test.go
+++ b/pkg/cidata/template_test.go
@@ -8,6 +8,8 @@ import (
 	"gotest.tools/v3/assert"
 )
 
+var defaultRemoveDefaults = false
+
 func TestTemplate(t *testing.T) {
 	args := TemplateArgs{
 		Name: "default",
@@ -22,6 +24,10 @@ func TestTemplate(t *testing.T) {
 			{MountPoint: "/Users/dummy/lima"},
 		},
 		MountType: "reverse-sshfs",
+		CACerts: CACerts{
+			RemoveDefaults: &defaultRemoveDefaults,
+			Trusted:        []Cert{},
+		},
 	}
 	layout, err := ExecuteTemplate(args)
 	assert.NilError(t, err)
@@ -33,6 +39,8 @@ func TestTemplate(t *testing.T) {
 		if f.Path == "user-data" {
 			// mounted later
 			assert.Assert(t, !strings.Contains(string(b), "mounts:"))
+			// ca_certs:
+			assert.Assert(t, !strings.Contains(string(b), "trusted:"))
 		}
 	}
 }
@@ -51,6 +59,9 @@ func TestTemplate9p(t *testing.T) {
 			{Tag: "mount1", MountPoint: "/Users/dummy/lima", Type: "9p", Options: "rw,trans=virtio"},
 		},
 		MountType: "9p",
+		CACerts: CACerts{
+			RemoveDefaults: &defaultRemoveDefaults,
+		},
 	}
 	layout, err := ExecuteTemplate(args)
 	assert.NilError(t, err)