diff --git a/pkg/cidata/cidata.TEMPLATE.d/user-data b/pkg/cidata/cidata.TEMPLATE.d/user-data
index 1f7c150f7650..5984317a7e53 100644
--- a/pkg/cidata/cidata.TEMPLATE.d/user-data
+++ b/pkg/cidata/cidata.TEMPLATE.d/user-data
@@ -66,6 +66,7 @@ resolv_conf:
   {{- end }}
 {{- end }}
 
+{{- if .CACerts.RemoveDefaults }}
 {{ with .CACerts }}
 ca_certs:
   remove_defaults: {{ .RemoveDefaults }}
@@ -76,6 +77,7 @@ ca_certs:
     {{- range $line := $cert.Lines }}
     {{ $line }}
     {{- end }}
+    {{- end }}
   {{- end }}
   {{- end }}
 {{- end }}
diff --git a/pkg/cidata/cidata.go b/pkg/cidata/cidata.go
index b6b27bc0d5f6..5c1b1a432c8e 100644
--- a/pkg/cidata/cidata.go
+++ b/pkg/cidata/cidata.go
@@ -310,6 +310,11 @@ func templateArgs(instDir, name string, y *limayaml.LimaYAML, udpDNSLocalPort, t
 		args.CACerts.Trusted = append(args.CACerts.Trusted, cert)
 	}
 
+	if !*args.CACerts.RemoveDefaults && len(args.CACerts.Trusted) == 0 {
+		args.CACerts.RemoveDefaults = nil
+		args.CACerts.Trusted = nil
+	}
+
 	args.BootCmds = getBootCmds(y.Provision)
 
 	for _, f := range y.Provision {
diff --git a/pkg/cidata/template.go b/pkg/cidata/template.go
index 99520a506ea1..92bbaf600d41 100644
--- a/pkg/cidata/template.go
+++ b/pkg/cidata/template.go
@@ -115,9 +115,6 @@ func ValidateTemplateArgs(args *TemplateArgs) error {
 			return fmt.Errorf("field mounts[%d] must be absolute, got %q", i, f)
 		}
 	}
-	if args.CACerts.RemoveDefaults == nil {
-		return errors.New("field CACerts.RemoveDefaults must be set")
-	}
 	return nil
 }
 
@@ -125,12 +122,6 @@ func ExecuteTemplateCloudConfig(args *TemplateArgs) ([]byte, error) {
 	if err := ValidateTemplateArgs(args); err != nil {
 		return nil, err
 	}
-	// Remove empty CACerts struct from cloud-config output
-	if !*args.CACerts.RemoveDefaults && len(args.CACerts.Trusted) == 0 {
-		temp := *args
-		temp.CACerts.RemoveDefaults = nil
-		temp.CACerts.Trusted = nil
-		args = &temp
 	}
 	return textutil.ExecuteTemplate(cloudConfigYaml, args)
 }