diff --git a/manifests/site.pp b/manifests/site.pp
index bfdd9fedaa..bfd578cfa7 100644
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -171,6 +171,22 @@ node 'puppetmaster.openstack.org' {
     mqtt_password                              => hiera('mqtt_service_user_password'),
     mqtt_ca_cert_contents                      => hiera('mosquitto_tls_ca_file'),
   }
+  file { '/etc/openstack/infracloud_vanilla_cacert.pem':
+    ensure  => present,
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0444',
+    content => hiera('infracloud_vanilla_ssl_cert_file_contents'),
+    require => Class['::openstack_project::puppetmaster'],
+  }
+  file { '/etc/openstack/infracloud_chocolate_cacert.pem':
+    ensure  => present,
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0444',
+    content => hiera('infracloud_chocolate_ssl_cert_file_contents'),
+    require => Class['::openstack_project::puppetmaster'],
+  }
 }
 
 # Node-OS: trusty
diff --git a/modules/openstack_project/templates/puppetmaster/all-clouds.yaml.erb b/modules/openstack_project/templates/puppetmaster/all-clouds.yaml.erb
index 4199ec8e1a..c6a0cd7cf3 100644
--- a/modules/openstack_project/templates/puppetmaster/all-clouds.yaml.erb
+++ b/modules/openstack_project/templates/puppetmaster/all-clouds.yaml.erb
@@ -9,7 +9,7 @@ clouds:
       project_domain_name: default
       user_domain_name: default
     identity_api_version: '3'
-    cacert: /etc/ssl/certs/ca-certificates.crt
+    cacert: /etc/openstack/infracloud_vanilla_cacert.pem
   admin-infracloud-chocolate:
     region_name: RegionOne
     auth:
@@ -20,7 +20,7 @@ clouds:
       project_domain_name: default
       user_domain_name: default
     identity_api_version: '3'
-    cacert: /etc/ssl/certs/ca-certificates.crt
+    cacert: /etc/openstack/infracloud_chocolate_cacert.pem
   infra-files-ro:
     profile: rackspace
     auth:
@@ -46,7 +46,7 @@ clouds:
       user_domain_name: default
     identity_api_version: '3'
     floating_ip_source: None
-    cacert: /etc/ssl/certs/ca-certificates.crt
+    cacert: /etc/openstack/infracloud_vanilla_cacert.pem
   openstackci-infracloud-chocolate:
     region_name: RegionOne
     auth:
@@ -58,7 +58,7 @@ clouds:
       user_domain_name: default
     identity_api_version: '3'
     floating_ip_source: None
-    cacert: /etc/ssl/certs/ca-certificates.crt
+    cacert: /etc/openstack/infracloud_chocolate_cacert.pem
   openstackci-internap:
     profile: internap
     auth:
@@ -152,7 +152,7 @@ clouds:
       user_domain_name: default
     identity_api_version: '3'
     floating_ip_source: None
-    cacert: /etc/ssl/certs/ca-certificates.crt
+    cacert: /etc/openstack/infracloud_vanilla_cacert.pem
   openstackzuul-infracloud-chocolate:
     region_name: RegionOne
     auth:
@@ -164,7 +164,7 @@ clouds:
       user_domain_name: default
     identity_api_version: '3'
     floating_ip_source: None
-    cacert: /etc/ssl/certs/ca-certificates.crt
+    cacert: /etc/openstack/infracloud_chocolate_cacert.pem
   openstackjenkins-rax:
     regions:
       - DFW
diff --git a/modules/openstack_project/templates/puppetmaster/ansible-clouds.yaml.erb b/modules/openstack_project/templates/puppetmaster/ansible-clouds.yaml.erb
index 55c5092c48..5de9169b62 100644
--- a/modules/openstack_project/templates/puppetmaster/ansible-clouds.yaml.erb
+++ b/modules/openstack_project/templates/puppetmaster/ansible-clouds.yaml.erb
@@ -90,7 +90,7 @@ clouds:
       user_domain_name: default
     identity_api_version: '3'
     floating_ip_source: None
-    cacert: /etc/ssl/certs/ca-certificates.crt
+    cacert: /etc/openstack/infracloud_vanilla_cacert.pem
   openstackci-infracloud-chocolate:
     region_name: RegionOne
     auth:
@@ -102,7 +102,7 @@ clouds:
       user_domain_name: default
     identity_api_version: '3'
     floating_ip_source: None
-    cacert: /etc/ssl/certs/ca-certificates.crt
+    cacert: /etc/openstack/infracloud_chocolate_cacert.pem
   openstackci-citycloud:
     regions:
       - Lon1