diff --git a/chart/templates/neuvector/secret-ca.yaml b/chart/templates/neuvector/secret-ca.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..871198503736738a7d29b4652de706355f039fa8
--- /dev/null
+++ b/chart/templates/neuvector/secret-ca.yaml
@@ -0,0 +1,10 @@
+{{- if and .Values.neuvector.enabled .Values.neuvector.sso.enabled (or .Values.sso.certificate_authority (dig "certificateAuthority" "cert" false .Values.sso)) }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ default (dig "certificateAuthority" "secretName" "" .Values.sso) .Values.sso.secretName }}
+  namespace: neuvector
+type: Opaque
+data:
+  ca.pem: {{ default (dig "certificateAuthority" "cert" "" .Values.sso) .Values.sso.certificate_authority | b64enc }}
+{{- end }}
\ No newline at end of file
diff --git a/chart/templates/neuvector/values.yaml b/chart/templates/neuvector/values.yaml
index d516bcdcf74c3413738d0607525e63a5850e88e9..de515cc742414d6c075942b72bdd77e45ac407be 100644
--- a/chart/templates/neuvector/values.yaml
+++ b/chart/templates/neuvector/values.yaml
@@ -48,6 +48,11 @@ controller:
         default_role: {{ .Values.neuvector.sso.default_role }}
       {{- end }}
   {{- end }}
+  {{- if and .Values.neuvector.sso.enabled (or .Values.sso.certificate_authority (dig "certificateAuthority" "cert" false .Values.sso)) }}
+  sso:
+    certificateAuthority:
+      secretName: {{ default (dig "certificateAuthority" "secretName" "" .Values.sso) .Values.sso.secretName }}
+  {{- end }}
 {{- end }}
 
 monitor:
diff --git a/chart/values.yaml b/chart/values.yaml
index ef58d55e384507091fc2a3a86ea01b639aa9a1a2..8ae289aa3e8c33b239e60822574e2376e3ff00bf 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -736,11 +736,11 @@ neuvector:
   git:
     repo: https://repo1.dso.mil/big-bang/product/packages/neuvector.git
     path: "./chart"
-    tag: "2.4.5-bb.4"
+    tag: "2.4.5-bb.5"
   helmRepo:
     repoName: "registry1"
     chartName: "neuvector"
-    tag: "2.4.5-bb.4"
+    tag: "2.4.5-bb.5"
 
   # -- Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`).  The default is "public".
   ingress:
@@ -748,7 +748,7 @@ neuvector:
 
   sso:
     # -- Toggle SSO for Neuvector on and off
-    enabled: true
+    enabled: false
 
     # -- OIDC Client ID to use for Neuvector
     client_id: ""