diff --git a/manifests/site.pp b/manifests/site.pp
index c56aee5d60..017ae1e848 100644
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -485,9 +485,10 @@ node /^subunit-worker\d+\.openstack\.org$/ {
     sysadmins                 => hiera('sysadmins', []),
   }
   class { 'openstack_project::subunit_worker':
-    subunit2sql_db_host => hiera('subunit2sql_db_host', ''),
-    subunit2sql_db_pass => hiera('subunit2sql_db_password', ''),
-    mqtt_pass       => hiera('mqtt_service_user_password'),
+    subunit2sql_db_host   => hiera('subunit2sql_db_host', ''),
+    subunit2sql_db_pass   => hiera('subunit2sql_db_password', ''),
+    mqtt_pass             => hiera('mqtt_service_user_password'),
+    mqtt_ca_cert_contents => hiera('mosquitto_tls_ca_file'),
   }
 }
 
diff --git a/modules/openstack_project/manifests/subunit_worker.pp b/modules/openstack_project/manifests/subunit_worker.pp
index a8ea763b3d..f789e1283e 100644
--- a/modules/openstack_project/manifests/subunit_worker.pp
+++ b/modules/openstack_project/manifests/subunit_worker.pp
@@ -19,6 +19,7 @@ class openstack_project::subunit_worker (
   $subunit2sql_db_pass,
   $mqtt_user = 'infra',
   $mqtt_pass = undef,
+  $mqtt_ca_cert_contents = undef,
 ) {
 
   file { '/etc/subunit2sql/subunit-woker.yaml':
@@ -29,6 +30,15 @@ class openstack_project::subunit_worker (
     content => template('openstack_project/logstash/jenkins-subunit-worker.yaml.erb'),
   }
 
+  file { '/etc/subunit2sql/mqtt-root-CA.pem.crt':
+      ensure  => present,
+      content => $mqtt_ca_cert_contents,
+      replace => true,
+      owner   => 'subunit',
+      group   => 'subunit',
+      mode    => '0555',
+    }
+
   include subunit2sql
   subunit2sql::worker { 'A':
     config_file => '/etc/subunit2sql/subunit-woker.yaml',
diff --git a/modules/openstack_project/templates/logstash/jenkins-subunit-worker.yaml.erb b/modules/openstack_project/templates/logstash/jenkins-subunit-worker.yaml.erb
index 5a19c03534..d56144c1c3 100644
--- a/modules/openstack_project/templates/logstash/jenkins-subunit-worker.yaml.erb
+++ b/modules/openstack_project/templates/logstash/jenkins-subunit-worker.yaml.erb
@@ -6,4 +6,4 @@ mqtt-port: 8883
 mqtt-topic: gearman-subunit/<%= @hostname %>
 mqtt-user: <%= @mqtt_user %>
 mqtt-pass: <%= @mqtt_pass %>
-mqtt-ca_certs: "/etc/ca-certificates/extracted/tls-ca-bundle.pem"
+mqtt-ca_certs: /etc/subunit2sql/mqtt-root-CA.pem.crt