diff --git a/pkg/cidata/cloud-config.yaml b/pkg/cidata/cloud-config.yaml
index a3bbed9c9330..8658b3586b53 100644
--- a/pkg/cidata/cloud-config.yaml
+++ b/pkg/cidata/cloud-config.yaml
@@ -37,6 +37,7 @@ users:
 # resolv_conf is not included here
 {{- end }}
 
+{{- if .CACerts.RemoveDefaults }}
 {{ with .CACerts }}
 ca_certs:
   remove_defaults: {{ .RemoveDefaults }}
@@ -50,6 +51,7 @@ ca_certs:
   {{- end }}
   {{- end }}
 {{- end }}
+{{- end }}
 
 {{- if .BootCmds }}
 bootcmd:
diff --git a/pkg/cidata/template.go b/pkg/cidata/template.go
index bcec13852c0d..99520a506ea1 100644
--- a/pkg/cidata/template.go
+++ b/pkg/cidata/template.go
@@ -125,6 +125,13 @@ func ExecuteTemplateCloudConfig(args *TemplateArgs) ([]byte, error) {
 	if err := ValidateTemplateArgs(args); err != nil {
 		return nil, err
 	}
+	// Remove empty CACerts struct from cloud-config output
+	if !*args.CACerts.RemoveDefaults && len(args.CACerts.Trusted) == 0 {
+		temp := *args
+		temp.CACerts.RemoveDefaults = nil
+		temp.CACerts.Trusted = nil
+		args = &temp
+	}
 	return textutil.ExecuteTemplate(cloudConfigYaml, args)
 }