diff --git a/buildspec.yml b/buildspec.yml
index fc57156..360ffa5 100644
--- a/buildspec.yml
+++ b/buildspec.yml
@@ -29,12 +29,22 @@ env:
     # Census proxy — required for registry.terraform.io provider downloads
     HTTPS_PROXY: "http://proxy.tco.census.gov:3128"
     HTTP_PROXY: "http://proxy.tco.census.gov:3128"
-    # Exclude AWS-internal endpoints from the proxy
-    NO_PROXY: "169.254.169.254,169.254.170.2,s3.us-gov-west-1.amazonaws.com,s3.amazonaws.com,.amazonaws.com,.us-gov-west-1.amazonaws.com"
+    # Exclude AWS-internal endpoints and Census GHE from the proxy
+    NO_PROXY: "169.254.169.254,169.254.170.2,s3.us-gov-west-1.amazonaws.com,s3.amazonaws.com,.amazonaws.com,.us-gov-west-1.amazonaws.com,github.e.it.census.gov"
 
 phases:
   install:
     commands:
+      # ── Install Census Bureau CA certificate ──────────────────────────────
+      # The Census GHE TLS cert is issued by the Census Bureau CA which is not
+      # trusted by the CodeBuild Amazon Linux 2 trust store by default.
+      - |
+        aws s3 cp "s3://${ASSETS_BUCKET}/certs/census-ca.pem" \
+          /etc/pki/ca-trust/source/anchors/census-ca.pem 2>/dev/null \
+          && update-ca-trust \
+          && echo "Census CA cert installed" \
+          || echo "WARNING: could not install Census CA cert (continuing anyway)"
+
       # ── Install Terraform ─────────────────────────────────────────────────
       - |
         if ! command -v terraform &>/dev/null; then