diff --git a/application/controllers/ConfigController.php b/application/controllers/ConfigController.php
index d0af62e1b..c05c121b7 100644
--- a/application/controllers/ConfigController.php
+++ b/application/controllers/ConfigController.php
@@ -207,7 +207,7 @@ class ConfigController extends Controller
         $rootCaCollections = array();
         foreach (LocalFileStorage::common('tls/rootcacollections') as $rootCaCollection) {
             $matches = array();
-            if (preg_match('~\A([0-9a-f]{2}+)\.pem\z~i', $rootCaCollection, $matches)) {
+            if (preg_match('~\A((?:[0-9a-f]{2})+)\.pem\z~', $rootCaCollection, $matches)) {
                 $rootCaCollections[hex2bin($matches[1])] = null;
             }
         }
@@ -218,7 +218,7 @@ class ConfigController extends Controller
         $clientIdentities = array();
         foreach (LocalFileStorage::common('tls/clientidentities') as $clientIdentity) {
             $matches = array();
-            if (preg_match('~\A([0-9a-f]{2}+)\.pem\z~i', $clientIdentity, $matches)) {
+            if (preg_match('~\A((?:[0-9a-f]{2})+)\.pem\z~', $clientIdentity, $matches)) {
                 $clientIdentities[hex2bin($matches[1])] = null;
             }
         }
diff --git a/application/controllers/TlsrootcacollectionController.php b/application/controllers/TlsrootcacollectionController.php
new file mode 100644
index 000000000..6cbfdbc08
--- /dev/null
+++ b/application/controllers/TlsrootcacollectionController.php
@@ -0,0 +1,110 @@
+<?php
+/* Icinga Web 2 | (c) 2017 Icinga Development Team | GPLv2+ */
+
+namespace Icinga\Controllers;
+
+use Exception;
+use Icinga\Application\Icinga;
+use Icinga\File\Storage\LocalFileStorage;
+use Icinga\Forms\Config\Tls\RootCaCollection\CreateForm;
+use Icinga\Forms\Config\Tls\RootCaCollection\EditForm;
+use Icinga\Forms\ConfirmRemovalForm;
+use Icinga\Web\Controller;
+use Icinga\Web\Notification;
+
+/**
+ * Manage TLS root CA certificate collections
+ */
+class TlsrootcacollectionController extends Controller
+{
+    public function init()
+    {
+        $this->assertPermission('config/application/tlscert');
+
+        parent::init();
+    }
+
+    public function createAction()
+    {
+        $this->view->form = $form = new CreateForm();
+        $form->setRedirectUrl('tlsrootcacollection/edit')
+            ->handleRequest();
+
+        $this->addTitleTab(
+            $this->translate('New Certificate Collection'),
+            $this->translate('Create A New TLS Root CA Certificate Collection')
+        );
+
+        $this->render('form');
+    }
+
+    public function editAction()
+    {
+        $this->view->form = $form = new EditForm();
+        $name = $this->params->getRequired('name');
+        $form->setOldName($name)
+            ->setRedirectUrl('tlsrootcacollection/edit')
+            ->handleRequest();
+
+        $this->addTitleTab(
+            $this->translate('Edit Certificate Collection'),
+            sprintf($this->translate('Edit TLS Root CA Certificate Collection "%s"'), $name)
+        );
+
+        $this->render('form');
+    }
+
+    public function removeAction()
+    {
+        $rootCaCollections = LocalFileStorage::common('tls/rootcacollections');
+
+        $name = $this->params->getRequired('name');
+        $fileName = bin2hex($name) . '.pem';
+        $rootCaCollections->resolvePath($fileName, true);
+
+        $this->view->form = $form = new ConfirmRemovalForm();
+        $form->setOnSuccess(function (ConfirmRemovalForm $form) use ($name, $fileName, $rootCaCollections) {
+                try {
+                    $rootCaCollections->delete($fileName);
+                } catch (Exception $e) {
+                    $form->error($e->getMessage());
+                    return false;
+                }
+
+                Notification::success(
+                    sprintf(t('TLS root CA certificate collection "%s" successfully removed'), $name)
+                );
+                return true;
+            })
+            ->setRedirectUrl('config/tls')
+            ->handleRequest();
+
+        $this->addTitleTab(
+            $this->translate('Remove Certificate Collection'),
+            sprintf($this->translate('Remove TLS Root CA Certificate Collection "%s"'), $name)
+        );
+
+        $this->render('form');
+    }
+
+    /**
+     * Add primary tab with the given label and title
+     *
+     * @param   string  $label
+     * @param   string  $title
+     */
+    protected function addTitleTab($label, $title)
+    {
+        $url = clone $this->getRequest()->getUrl();
+
+        $this->getTabs()->add(
+            preg_replace('~\A.*/~', '', $url->getPath()),
+            array(
+                'active'    => true,
+                'label'     => $label,
+                'title'     => $title,
+                'url'       => $url
+            )
+        );
+    }
+}
diff --git a/application/forms/Config/Tls/RootCaCollection/CreateForm.php b/application/forms/Config/Tls/RootCaCollection/CreateForm.php
new file mode 100644
index 000000000..77a3774f9
--- /dev/null
+++ b/application/forms/Config/Tls/RootCaCollection/CreateForm.php
@@ -0,0 +1,47 @@
+<?php
+/* Icinga Web 2 | (c) 2017 Icinga Development Team | GPLv2+ */
+
+namespace Icinga\Forms\Config\Tls\RootCaCollection;
+
+use Exception;
+use Icinga\File\Storage\LocalFileStorage;
+use Icinga\Web\Form;
+
+/**
+ * Configuration form for creating TLS root CA certificate collections
+ */
+class CreateForm extends Form
+{
+    public function init()
+    {
+        $this->setName('form_config_tlsrootcacollection');
+        $this->setSubmitLabel($this->translate('Create'));
+    }
+
+    public function createElements(array $formData)
+    {
+        $this->addElement(
+            'text',
+            'name',
+            array(
+                'label'         => $this->translate('Name'),
+                'description'   => $this->translate('The new TLS root CA certificate collection\'s name'),
+                'required'      => true
+            )
+        );
+    }
+
+    public function onSuccess()
+    {
+        $name = $this->getElement('name')->getValue();
+
+        try {
+            LocalFileStorage::common('tls/rootcacollections')->create(bin2hex($name) . '.pem', '');
+        } catch (Exception $e) {
+            $this->error($e->getMessage());
+            return false;
+        }
+
+        $this->getRedirectUrl()->setParam('name', $name);
+    }
+}
diff --git a/application/forms/Config/Tls/RootCaCollection/EditForm.php b/application/forms/Config/Tls/RootCaCollection/EditForm.php
new file mode 100644
index 000000000..91bcc66bd
--- /dev/null
+++ b/application/forms/Config/Tls/RootCaCollection/EditForm.php
@@ -0,0 +1,85 @@
+<?php
+/* Icinga Web 2 | (c) 2017 Icinga Development Team | GPLv2+ */
+
+namespace Icinga\Forms\Config\Tls\RootCaCollection;
+
+use Exception;
+use Icinga\File\Storage\LocalFileStorage;
+use Icinga\Web\Form;
+
+/**
+ * Configuration form for editing TLS root CA certificate collections
+ */
+class EditForm extends Form
+{
+    /**
+     * The TLS root CA certificate collection's old name
+     *
+     * @var string
+     */
+    protected $oldName;
+
+    public function init()
+    {
+        $this->setName('form_config_tlsrootcacollection');
+        $this->setSubmitLabel($this->translate('Save Changes'));
+    }
+
+    public function createElements(array $formData)
+    {
+        $this->addElement(
+            'text',
+            'name',
+            array(
+                'label'         => $this->translate('Name'),
+                'description'   => $this->translate('The TLS root CA certificate collection\'s name'),
+                'required'      => true,
+                'value'         => $this->oldName
+            )
+        );
+
+        $this->addElement(
+            'hidden',
+            'old_name',
+            array(
+                'required'  => true,
+                'disabled'  => true,
+                'value'     => $this->oldName
+            )
+        );
+    }
+
+    public function onSuccess()
+    {
+        $name = $this->getElement('name')->getValue();
+
+        if ($name !== $this->oldName) {
+            try {
+                $rootCaCollections = LocalFileStorage::common('tls/rootcacollections');
+                $oldFileName = bin2hex($this->oldName) . '.pem';
+
+                $rootCaCollections->create(bin2hex($name) . '.pem', $rootCaCollections->read($oldFileName));
+                $rootCaCollections->delete($oldFileName);
+            } catch (Exception $e) {
+                $this->error($e->getMessage());
+                return false;
+            }
+        }
+
+        $this->getRedirectUrl()->setParam('name', $name);
+    }
+
+    /**
+     * Set the TLS root CA certificate collection's old name
+     *
+     * @param string $oldName
+     *
+     * @return $this
+     */
+    public function setOldName($oldName)
+    {
+        $this->oldName = $oldName;
+
+        return $this;
+    }
+}
diff --git a/application/views/scripts/tlsrootcacollection/form.phtml b/application/views/scripts/tlsrootcacollection/form.phtml
new file mode 100644
index 000000000..67aa7ee70
--- /dev/null
+++ b/application/views/scripts/tlsrootcacollection/form.phtml
@@ -0,0 +1,6 @@
+<div class="controls">
+  <?= /** @var \Icinga\Web\Widget\Tabs $tabs */ $tabs ?>
+</div>
+<div class="content">
+  <?= /** @var Icinga\Web\Form $form */ $form ?>
+</div>
\ No newline at end of file