diff --git a/home/.chezmoiscripts/universal/run_before_01-macos-privileges.sh.tmpl b/home/.chezmoiscripts/universal/run_before_01-macos-privileges.sh.tmpl
index 2d70705c..1cec22d9 100644
--- a/home/.chezmoiscripts/universal/run_before_01-macos-privileges.sh.tmpl
+++ b/home/.chezmoiscripts/universal/run_before_01-macos-privileges.sh.tmpl
@@ -53,7 +53,26 @@ ensureFullDiskAccess() {
 #     * Ensures CloudFlare Teams certificate is imported into the system keychain
 importCloudFlareCert() {
   if [ -d /Applications ] && [ -d /System ] && [ -z "$HEADLESS_INSTALL" ]; then
-    logg info 'Importing Cloudflare_CA.crt into System.keychain' && sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain "$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.crt"
+    ### Acquire certificate
+    if [ ! -f "$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.crt" ]; then
+        logg info 'Downloading Cloudflare_CA.crt from https://developers.cloudflare.com/cloudflare-one/static/documentation/connections/Cloudflare_CA.crt to determine if it is already in the System.keychain'
+        CRT_TMP="$(mktemp)"
+        curl -sSL https://developers.cloudflare.com/cloudflare-one/static/documentation/connections/Cloudflare_CA.crt > "$CRT_TMP"
+    else
+        CRT_TMP="$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.crt"
+    fi
+
+    ### Validate / import certificate
+    security verify-cert -c "$CRT_TMP" > /dev/null 2>&1
+    if [ $? != 0 ]; then
+        logg info '**macOS Manual Security Permission** Requesting security authorization for Cloudflare trusted certificate'
+        sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain "$CRT_TMP" && logg success 'Successfully imported Cloudflare_CA.crt into System.keychain'
+    fi
+
+    ### Remove temporary file, if necessary
+    if [ ! -f "$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.crt" ]; then
+        rm -f "$CRT_TMP"
+    fi
   fi
 }