diff --git a/authority/provisioner/acme.go b/authority/provisioner/acme.go
index afcaf08a..5955ac6a 100644
--- a/authority/provisioner/acme.go
+++ b/authority/provisioner/acme.go
@@ -96,14 +96,14 @@ type ACME struct {
 	// provisioner. If this value is not set the default apple, step and tpm
 	// will be used.
 	AttestationFormats []ACMEAttestationFormat `json:"attestationFormats,omitempty"`
-	Claims             *Claims                 `json:"claims,omitempty"`
-	Options            *Options                `json:"options,omitempty"`
-
-	// TODO(hs): WIP configuration for ACME Device Attestation
-	AttestationRoots    []byte `json:"attestationRoots"`
+	// AttestationRoots contains a bundle of root certificates in PEM format
+	// that will be used to verify the attestation certificates. If provided,
+	// this bundle will be used even for well-known CAs like Apple and Yubico.
+	AttestationRoots    []byte   `json:"attestationRoots,omitempty"`
+	Claims              *Claims  `json:"claims,omitempty"`
+	Options             *Options `json:"options,omitempty"`
 	attestationRootPool *x509.CertPool
-
-	ctl *Controller
+	ctl                 *Controller
 }
 
 // GetID returns the provisioner unique identifier.
@@ -160,7 +160,6 @@ func (p *ACME) Init(config Config) (err error) {
 		return errors.New("provisioner name cannot be empty")
 	}
 
-<<<<<<< HEAD
 	for _, c := range p.Challenges {
 		if err := c.Validate(); err != nil {
 			return err
@@ -172,29 +171,29 @@ func (p *ACME) Init(config Config) (err error) {
 		}
 	}
 
-=======
-	// TODO(hs): WIP configuration for ACME Device Attestation
-	p.attestationRootPool = x509.NewCertPool()
-
-	var (
-		block *pem.Block
-		rest  = p.AttestationRoots
-	)
-	for rest != nil {
-		block, rest = pem.Decode(rest)
-		if block == nil {
-			break
+	// Parse attestation roots.
+	// The pool will be nil if the there are not roots.
+	if rest := p.AttestationRoots; len(rest) > 0 {
+		var block *pem.Block
+		var hasCert bool
+		p.attestationRootPool = x509.NewCertPool()
+		for rest != nil {
+			block, rest = pem.Decode(rest)
+			if block == nil {
+				break
+			}
+			cert, err := x509.ParseCertificate(block.Bytes)
+			if err != nil {
+				return errors.New("error parsing attestationRoots: malformed certificate")
+			}
+			p.attestationRootPool.AddCert(cert)
+			hasCert = true
 		}
-		cert, err := x509.ParseCertificate(block.Bytes)
-		if err != nil {
-			return errors.Wrap(err, "error parsing x509 certificate from PEM block")
+		if !hasCert {
+			return errors.New("error parsing attestationRoots: no certificates found")
 		}
-		p.attestationRootPool.AddCert(cert)
 	}
 
-	// TODO(hs): need validation for number of certs? The current ones are only for the `tpm` type; not for Apple or Yubico.
-
->>>>>>> acdfdf34 (Add `tpm` attestation with configurable roots)
 	p.ctl, err = NewController(p, p.Claims, config, p.Options)
 	return
 }
@@ -312,8 +311,11 @@ func (p *ACME) IsAttestationFormatEnabled(ctx context.Context, format ACMEAttest
 	return false
 }
 
-// TODO(hs): we may not want to expose the root pool like this;
-// call into an interface function instead to authorize?
-func (p *ACME) GetAttestationRoots() (*x509.CertPool, error) {
-	return p.attestationRootPool, nil
+// GetAttestationRoots returns certificate pool with the configured attestation
+// roots and reports if the pool contains at least one certificate.
+//
+// TODO(hs): we may not want to expose the root pool like this; call into an
+// interface function instead to authorize?
+func (p *ACME) GetAttestationRoots() (*x509.CertPool, bool) {
+	return p.attestationRootPool, p.attestationRootPool != nil
 }
diff --git a/authority/provisioner/acme_test.go b/authority/provisioner/acme_test.go
index 6152a8c9..bfd85303 100644
--- a/authority/provisioner/acme_test.go
+++ b/authority/provisioner/acme_test.go
@@ -1,11 +1,13 @@
 package provisioner
 
 import (
+	"bytes"
 	"context"
 	"crypto/x509"
 	"errors"
 	"fmt"
 	"net/http"
+	"os"
 	"testing"
 	"time"
 
@@ -77,6 +79,15 @@ func TestACME_Getters(t *testing.T) {
 }
 
 func TestACME_Init(t *testing.T) {
+	appleCA, err := os.ReadFile("testdata/certs/apple-att-ca.crt")
+	if err != nil {
+		t.Fatal(err)
+	}
+	yubicoCA, err := os.ReadFile("testdata/certs/yubico-piv-ca.crt")
+	if err != nil {
+		t.Fatal(err)
+	}
+
 	type ProvisionerValidateTest struct {
 		p   *ACME
 		err error
@@ -120,6 +131,18 @@ func TestACME_Init(t *testing.T) {
 				err: errors.New("acme attestation format \"zar\" is not supported"),
 			}
 		},
+		"fail-parse-attestation-roots": func(t *testing.T) ProvisionerValidateTest {
+			return ProvisionerValidateTest{
+				p:   &ACME{Name: "foo", Type: "bar", AttestationRoots: []byte("-----BEGIN CERTIFICATE-----\nZm9v\n-----END CERTIFICATE-----")},
+				err: errors.New("error parsing attestationRoots: malformed certificate"),
+			}
+		},
+		"fail-empty-attestation-roots": func(t *testing.T) ProvisionerValidateTest {
+			return ProvisionerValidateTest{
+				p:   &ACME{Name: "foo", Type: "bar", AttestationRoots: []byte("\n")},
+				err: errors.New("error parsing attestationRoots: no certificates found"),
+			}
+		},
 		"ok": func(t *testing.T) ProvisionerValidateTest {
 			return ProvisionerValidateTest{
 				p: &ACME{Name: "foo", Type: "bar"},
@@ -132,6 +155,7 @@ func TestACME_Init(t *testing.T) {
 					Type:               "bar",
 					Challenges:         []ACMEChallenge{DNS_01, DEVICE_ATTEST_01},
 					AttestationFormats: []ACMEAttestationFormat{APPLE, STEP},
+					AttestationRoots:   bytes.Join([][]byte{appleCA, yubicoCA}, []byte("\n")),
 				},
 			}
 		},
@@ -144,6 +168,7 @@ func TestACME_Init(t *testing.T) {
 	for name, get := range tests {
 		t.Run(name, func(t *testing.T) {
 			tc := get(t)
+			t.Log(string(tc.p.AttestationRoots))
 			err := tc.p.Init(config)
 			if err != nil {
 				if assert.NotNil(t, tc.err) {
@@ -346,3 +371,58 @@ func TestACME_IsAttestationFormatEnabled(t *testing.T) {
 		})
 	}
 }
+
+func TestACME_GetAttestationRoots(t *testing.T) {
+	appleCA, err := os.ReadFile("testdata/certs/apple-att-ca.crt")
+	if err != nil {
+		t.Fatal(err)
+	}
+	yubicoCA, err := os.ReadFile("testdata/certs/yubico-piv-ca.crt")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	pool := x509.NewCertPool()
+	pool.AppendCertsFromPEM(appleCA)
+	pool.AppendCertsFromPEM(yubicoCA)
+
+	type fields struct {
+		Type             string
+		Name             string
+		AttestationRoots []byte
+	}
+	tests := []struct {
+		name   string
+		fields fields
+		want   *x509.CertPool
+		want1  bool
+	}{
+		{"ok", fields{"ACME", "acme", bytes.Join([][]byte{appleCA, yubicoCA}, []byte("\n"))}, pool, true},
+		{"nil", fields{"ACME", "acme", nil}, nil, false},
+		{"empty", fields{"ACME", "acme", []byte{}}, nil, false},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			p := &ACME{
+				Type:             tt.fields.Type,
+				Name:             tt.fields.Name,
+				AttestationRoots: tt.fields.AttestationRoots,
+			}
+			if err := p.Init(Config{
+				Claims:    globalProvisionerClaims,
+				Audiences: testAudiences,
+			}); err != nil {
+				t.Fatal(err)
+			}
+			got, got1 := p.GetAttestationRoots()
+			if tt.want == nil && got != nil {
+				t.Errorf("ACME.GetAttestationRoots() got = %v, want %v", got, tt.want)
+			} else if !tt.want.Equal(got) {
+				t.Errorf("ACME.GetAttestationRoots() got = %v, want %v", got, tt.want)
+			}
+			if got1 != tt.want1 {
+				t.Errorf("ACME.GetAttestationRoots() got1 = %v, want %v", got1, tt.want1)
+			}
+		})
+	}
+}
diff --git a/authority/provisioner/testdata/certs/apple-att-ca.crt b/authority/provisioner/testdata/certs/apple-att-ca.crt
new file mode 100644
index 00000000..2e5e3b3b
--- /dev/null
+++ b/authority/provisioner/testdata/certs/apple-att-ca.crt
@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICJDCCAamgAwIBAgIUQsDCuyxyfFxeq/bxpm8frF15hzcwCgYIKoZIzj0EAwMw
+UTEtMCsGA1UEAwwkQXBwbGUgRW50ZXJwcmlzZSBBdHRlc3RhdGlvbiBSb290IENB
+MRMwEQYDVQQKDApBcHBsZSBJbmMuMQswCQYDVQQGEwJVUzAeFw0yMjAyMTYxOTAx
+MjRaFw00NzAyMjAwMDAwMDBaMFExLTArBgNVBAMMJEFwcGxlIEVudGVycHJpc2Ug
+QXR0ZXN0YXRpb24gUm9vdCBDQTETMBEGA1UECgwKQXBwbGUgSW5jLjELMAkGA1UE
+BhMCVVMwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAT6Jigq+Ps9Q4CoT8t8q+UnOe2p
+oT9nRaUfGhBTbgvqSGXPjVkbYlIWYO+1zPk2Sz9hQ5ozzmLrPmTBgEWRcHjA2/y7
+7GEicps9wn2tj+G89l3INNDKETdxSPPIZpPj8VmjQjBAMA8GA1UdEwEB/wQFMAMB
+Af8wHQYDVR0OBBYEFPNqTQGd8muBpV5du+UIbVbi+d66MA4GA1UdDwEB/wQEAwIB
+BjAKBggqhkjOPQQDAwNpADBmAjEA1xpWmTLSpr1VH4f8Ypk8f3jMUKYz4QPG8mL5
+8m9sX/b2+eXpTv2pH4RZgJjucnbcAjEA4ZSB6S45FlPuS/u4pTnzoz632rA+xW/T
+ZwFEh9bhKjJ+5VQ9/Do1os0u3LEkgN/r
+-----END CERTIFICATE-----
\ No newline at end of file
diff --git a/authority/provisioner/testdata/certs/yubico-piv-ca.crt b/authority/provisioner/testdata/certs/yubico-piv-ca.crt
new file mode 100644
index 00000000..b0a92199
--- /dev/null
+++ b/authority/provisioner/testdata/certs/yubico-piv-ca.crt
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDFzCCAf+gAwIBAgIDBAZHMA0GCSqGSIb3DQEBCwUAMCsxKTAnBgNVBAMMIFl1
+YmljbyBQSVYgUm9vdCBDQSBTZXJpYWwgMjYzNzUxMCAXDTE2MDMxNDAwMDAwMFoY
+DzIwNTIwNDE3MDAwMDAwWjArMSkwJwYDVQQDDCBZdWJpY28gUElWIFJvb3QgQ0Eg
+U2VyaWFsIDI2Mzc1MTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMN2
+cMTNR6YCdcTFRxuPy31PabRn5m6pJ+nSE0HRWpoaM8fc8wHC+Tmb98jmNvhWNE2E
+ilU85uYKfEFP9d6Q2GmytqBnxZsAa3KqZiCCx2LwQ4iYEOb1llgotVr/whEpdVOq
+joU0P5e1j1y7OfwOvky/+AXIN/9Xp0VFlYRk2tQ9GcdYKDmqU+db9iKwpAzid4oH
+BVLIhmD3pvkWaRA2H3DA9t7H/HNq5v3OiO1jyLZeKqZoMbPObrxqDg+9fOdShzgf
+wCqgT3XVmTeiwvBSTctyi9mHQfYd2DwkaqxRnLbNVyK9zl+DzjSGp9IhVPiVtGet
+X02dxhQnGS7K6BO0Qe8CAwEAAaNCMEAwHQYDVR0OBBYEFMpfyvLEojGc6SJf8ez0
+1d8Cv4O/MA8GA1UdEwQIMAYBAf8CAQEwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3
+DQEBCwUAA4IBAQBc7Ih8Bc1fkC+FyN1fhjWioBCMr3vjneh7MLbA6kSoyWF70N3s
+XhbXvT4eRh0hvxqvMZNjPU/VlRn6gLVtoEikDLrYFXN6Hh6Wmyy1GTnspnOvMvz2
+lLKuym9KYdYLDgnj3BeAvzIhVzzYSeU77/Cupofj093OuAswW0jYvXsGTyix6B3d
+bW5yWvyS9zNXaqGaUmP3U9/b6DlHdDogMLu3VLpBB9bm5bjaKWWJYgWltCVgUbFq
+Fqyi4+JE014cSgR57Jcu3dZiehB6UtAPgad9L5cNvua/IWRmm+ANy3O2LH++Pyl8
+SREzU8onbBsjMg9QDiSf5oJLKvd/Ren+zGY7
+-----END CERTIFICATE-----
\ No newline at end of file