diff --git a/cmd/common.go b/cmd/common.go
index 9787c0224..4124e38bd 100644
--- a/cmd/common.go
+++ b/cmd/common.go
@@ -73,9 +73,6 @@ func syncMain(ctx context.Context, filenames []string, dry bool, parallelism,
 	if dumpConfig.SkipConsumers {
 		targetContent.Consumers = []file.FConsumer{}
 	}
-	if dumpConfig.SkipCACerts {
-		targetContent.CACertificates = []file.FCACertificate{}
-	}
 
 	rootClient, err := utils.GetKongClient(rootConfig)
 	if err != nil {
diff --git a/file/builder.go b/file/builder.go
index 298e6ce7d..8b4f3d406 100644
--- a/file/builder.go
+++ b/file/builder.go
@@ -20,6 +20,7 @@ type stateBuilder struct {
 	kongVersion     semver.Version
 
 	selectTags   []string
+	skipCACerts  bool
 	intermediate *state.KongState
 
 	client *kong.Client
@@ -61,7 +62,9 @@ func (b *stateBuilder) build() (*utils.KongRawState, *utils.KonnectRawState, err
 
 	// build
 	b.certificates()
-	b.caCertificates()
+	if !b.skipCACerts {
+		b.caCertificates()
+	}
 	b.services()
 	b.routes()
 	b.upstreams()
diff --git a/file/reader.go b/file/reader.go
index 842e6d13f..a0bdfd9d1 100644
--- a/file/reader.go
+++ b/file/reader.go
@@ -77,6 +77,7 @@ func Get(ctx context.Context, fileContent *Content, opt RenderConfig, dumpConfig
 	builder.kongVersion = opt.KongVersion
 	builder.client = wsClient
 	builder.ctx = ctx
+	builder.skipCACerts = dumpConfig.SkipCACerts
 	if len(dumpConfig.SelectorTags) > 0 {
 		builder.selectTags = dumpConfig.SelectorTags
 	}