diff --git a/internal/osbuild2/fdo_stage.go b/internal/osbuild2/fdo_stage.go
new file mode 100644
index 000000000..0b77e05ec
--- /dev/null
+++ b/internal/osbuild2/fdo_stage.go
@@ -0,0 +1,40 @@
+package osbuild2
+
+import (
+	"crypto/sha256"
+	"fmt"
+)
+
+type FDOStageReferences []string
+
+func (FDOStageReferences) isReferences() {}
+
+type FDOStageInput struct {
+	inputCommon
+	References FDOStageReferences `json:"references"`
+}
+
+func (FDOStageInput) isStageInput() {}
+
+type FDOStageInputs struct {
+	RootCerts *FDOStageInput `json:"rootcerts"`
+}
+
+func (FDOStageInputs) isStageInputs() {}
+
+// NewFDOStageForCert creates FDOStage
+func NewFDOStageForRootCerts(rootCertsData string) *Stage {
+
+	dataBytes := []byte(rootCertsData)
+	rootCertsInputHash := fmt.Sprintf("sha256:%x", sha256.Sum256(dataBytes))
+
+	input := new(FDOStageInput)
+	input.Type = "org.osbuild.files"
+	input.Origin = "org.osbuild.source"
+	input.References = FDOStageReferences{rootCertsInputHash}
+
+	return &Stage{
+		Type:   "org.osbuild.fdo",
+		Inputs: &FDOStageInputs{RootCerts: input},
+	}
+}
diff --git a/internal/osbuild2/fdo_stage_test.go b/internal/osbuild2/fdo_stage_test.go
new file mode 100644
index 000000000..352fca21b
--- /dev/null
+++ b/internal/osbuild2/fdo_stage_test.go
@@ -0,0 +1,31 @@
+package osbuild2
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestNewFDOStageForRootCerts(t *testing.T) {
+
+	assert := assert.New(t)
+
+	tests := []struct {
+		data string
+		hash string
+	}{
+		{"42\n", "sha256:084c799cd551dd1d8d5c5f9a5d593b2e931f5e36122ee5c793c1d08a19839cc0"},
+		{"Hallo Welt\n", "sha256:f950375066d74787f31cbd8f9f91c71819357cad243fb9d4a0d9ef4fa76709e0"},
+	}
+
+	for _, tt := range tests {
+		stage := NewFDOStageForRootCerts(tt.data)
+
+		inputs := stage.Inputs.(*FDOStageInputs)
+		certs := inputs.RootCerts
+
+		assert.Len(certs.References, 1)
+		assert.Equal(certs.References[0], tt.hash)
+
+	}
+}