diff --git a/debian/usr.lib.ipsec.charon b/debian/usr.lib.ipsec.charon
index 7cdec0aeb9de3ae10496f0191a8afe984970ff69..0858d5638f8345161e73bcb9700c85bcad1ce8ff 100644
--- a/debian/usr.lib.ipsec.charon
+++ b/debian/usr.lib.ipsec.charon
@@ -19,6 +19,7 @@
   #include <abstractions/authentication>
   #include <abstractions/openssl>
   #include <abstractions/p11-kit>
+  #include <abstractions/ssl_keys>
 
   capability ipc_lock,
   capability net_admin,
diff --git a/debian/usr.sbin.charon-systemd b/debian/usr.sbin.charon-systemd
index a9df80e2f8c883fd38dffe711a62616cbc756ede..29aea3aa997265a734d16507467a2e54938d9a55 100644
--- a/debian/usr.sbin.charon-systemd
+++ b/debian/usr.sbin.charon-systemd
@@ -19,6 +19,7 @@
   #include <abstractions/authentication>
   #include <abstractions/openssl>
   #include <abstractions/p11-kit>
+  #include <abstractions/ssl_keys>
 
   capability ipc_lock,
   capability net_admin,
diff --git a/debian/usr.sbin.swanctl b/debian/usr.sbin.swanctl
index 455c7cbf49b194666027b01094cbef52361619b2..86eea636d755dd0e70a3560a52cf5bb6229e34cf 100644
--- a/debian/usr.sbin.swanctl
+++ b/debian/usr.sbin.swanctl
@@ -15,9 +15,13 @@
   /etc/strongswan.d/            r,
   /etc/strongswan.d/**          r,
 
-  # All reading configuration, certificate, and key files beneath /etc/swanctl/
+  # Allow reading configuration, certificate, and key files beneath /etc/swanctl/
   /etc/swanctl/**               r,
 
+  # Allow reading system certs/keys beneath /etc/ssl and other locations
+  # used by common ACME/Let's Encrypt clients
+  #include <abstractions/ssl_keys>
+
   # Allow communication with VICI plugin UNIX domain socket
   /run/charon.vici              rw,