diff --git a/CHANGELOG.md b/CHANGELOG.md
index 051088ca..86aae0c6 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -99,6 +99,7 @@ Using the relevant options, the scan will change base on the intended goal.
 - BANN-7126 - additional words for login banner are accepted
 - BOOT-5122 - check for defined password in all GRUB configuration files
 - CONT-8106 - support newer 'docker info' output
+- CRYP-7902 - optionally check also certificates provided by packages
 - CRYP-8002 - gather kernel entropy on Linux systems
 - FILE-6310 - support for HP-UX
 - FILE-6374 - changed log and allow root location to be changed
diff --git a/default.prf b/default.prf
index f59e50c2..6ff3eac2 100644
--- a/default.prf
+++ b/default.prf
@@ -93,8 +93,9 @@ skip-plugins=no
 #skip-upgrade-test=yes
 
 # Locations where to search for SSL certificates (separate paths with a colon)
-ssl-certificate-paths=/etc/apache2:/etc/dovecot:/etc/httpd:/etc/letsencrypt:/etc/pki:/etc/postfix:/etc/ssl:/opt/psa/var/certificates:/usr/local/psa/var/certificates:/usr/local/share/ca-certificates:/var/www:/srv/www
+ssl-certificate-paths=/etc/apache2:/etc/dovecot:/etc/httpd:/etc/letsencrypt:/etc/pki:/etc/postfix:/etc/ssl:/opt/psa/var/certificates:/usr/local/psa/var/certificates:/usr/local/share/ca-certificates:/usr/share/ca-certificates:/usr/share/gnupg:/var/www:/srv/www
 ssl-certificate-paths-to-ignore=/etc/letsencrypt/archive:
+ssl-certificate-include-packages=no
 
 # Scan type - how deep the audit should be (light, normal or full)
 test-scan-mode=full
diff --git a/include/consts b/include/consts
index c1f65ea2..7968ef1f 100644
--- a/include/consts
+++ b/include/consts
@@ -281,6 +281,7 @@ unset LANG
     SNORTBINARY=""
     SSHKEYSCANBINARY=""
     SSHKEYSCANFOUND=0
+    SSL_CERTIFICATE_INCLUDE_PACKAGES=0
     SSL_CERTIFICATE_PATHS=""
     SSL_CERTIFICATE_PATHS_TO_IGNORE=""
     STUNNELBINARY=""
diff --git a/include/profiles b/include/profiles
index 328d4d49..da2124f7 100644
--- a/include/profiles
+++ b/include/profiles
@@ -376,6 +376,13 @@
                     AddSetting "ssl-certificate-paths-to-ignore" "${SSL_CERTIFICATE_PATHS_TO_IGNORE}" "Paths that should be ignored for SSL certificates"
                 ;;
 
+                # Check also certificates provided by packages?
+                ssl-certificate-include-packages)
+                    FIND=$(echo "${VALUE}" | grep -E "^(1|true|yes)") && SSL_CERTIFICATE_INCLUDE_PACKAGES=1
+                    Debug "Check also certificates provided by packages set to ${SSL_CERTIFICATE_INCLUDE_PACKAGES}"
+                ;;
+
+
                 # Set strict mode for development and quality purposes
                 strict)
                     FIND=$(echo "${VALUE}" | grep -E "^(1|true|yes)") && SET_STRICT=1
diff --git a/include/tests_crypto b/include/tests_crypto
index 1726735a..e449f195 100644
--- a/include/tests_crypto
+++ b/include/tests_crypto
@@ -74,8 +74,8 @@
                             COUNT_DIR=$((COUNT_DIR + 1))
                             FileIsReadable "${FILE}"
                             if [ ${CANREAD} -eq 1 ]; then
-                                # Only check the files that are not installed by a package
-                                if ! FileInstalledByPackage "${FILE}"; then
+                                # Only check the files that are not installed by a package, unless enabled by profile
+                                if [ ${SSL_CERTIFICATE_INCLUDE_PACKAGES} -eq 1 ] || ! FileInstalledByPackage "${FILE}"; then
                                     OUTPUT=$(${GREPBINARY} -q 'BEGIN CERT' "${FILE}")
                                     if [ $? -eq 0 ]; then
                                         LogText "Result: file is a certificate file"