diff --git a/playbookconfig/src/playbooks/enroll_subcloud.yml b/playbookconfig/src/playbooks/enroll_subcloud.yml
index 757f52c9a..1255a18d7 100644
--- a/playbookconfig/src/playbooks/enroll_subcloud.yml
+++ b/playbookconfig/src/playbooks/enroll_subcloud.yml
@@ -31,10 +31,10 @@
     # - common/recover-subcloud-certificates
     - rehome-enroll-common/prepare-env
     - enroll-subcloud/validate-before-enroll
-    # - rehome-subcloud/update-ca-cert
+    - rehome-subcloud/update-ca-cert
     # - common/update-sc-admin-endpoints
-    # - role: common/update-sc-cert
-    #   when: subcloud_dc_admin_ep_cert_chain_recovered is undefined
+    - role: common/update-sc-cert
+      when: subcloud_dc_admin_ep_cert_chain_recovered is undefined
     # - rehome-subcloud/update-network-config
     # - role: rehome-subcloud/update-keystone-data
     #   become: yes
diff --git a/playbookconfig/src/playbooks/rehome_subcloud.yml b/playbookconfig/src/playbooks/rehome_subcloud.yml
index ed1edb58b..8d418b471 100644
--- a/playbookconfig/src/playbooks/rehome_subcloud.yml
+++ b/playbookconfig/src/playbooks/rehome_subcloud.yml
@@ -27,3 +27,6 @@
     - role: rehome-subcloud/update-keystone-data
       become: yes
     - rehome-subcloud/validate-after-rehome
+
+  vars:
+    mode: 'rehoming'
diff --git a/playbookconfig/src/playbooks/roles/common/update-sc-cert/tasks/main.yml b/playbookconfig/src/playbooks/roles/common/update-sc-cert/tasks/main.yml
index 3ddce70cd..01358d681 100644
--- a/playbookconfig/src/playbooks/roles/common/update-sc-cert/tasks/main.yml
+++ b/playbookconfig/src/playbooks/roles/common/update-sc-cert/tasks/main.yml
@@ -40,39 +40,58 @@
   vars:
     ansible_become: yes
 
-- name: Check admin-ep-cert.pem updated
-  command: stat -c %Y "/etc/ssl/private/{{ sc_adminep_cert }}"
-  register: adminep_cert_modify_time
-  until: adminep_cert_modify_time.stdout|int > (start_time.stdout|int + 1)
-  retries: 63
-  delay: 10
+- block:
+  - name: Get admin endpoint certificate
+    shell: >-
+      kubectl --kubeconfig=/etc/kubernetes/admin.conf get secret
+      sc-adminep-certificate -n sc-cert
+      -o jsonpath='{.data.tls\.key}{.data.tls\.crt}'
+      | base64 -d
+    register: get_admin_ep_cert
 
-- name: Check haproxy service restarted
-  shell: >-
-    date --date="$(ps -p $(ps -eo pid,cmd | grep haproxy |
-    awk 'NR==1{print $1}') -o lstart=)" '+%s'
-  register: haproxy_start_time
-  until: haproxy_start_time.stdout > start_time.stdout
-  retries: 6
-  delay: 10
+  - name: Create DC admin endpoint root CA certificate
+    copy:
+      dest: "/etc/ssl/private/{{ sc_adminep_cert }}"
+      content: "{{ get_admin_ep_cert.stdout }}"
+      mode: 0400
+  when: mode == "enroll"
 
-- name: Check manifest applied and alarm cleared
-  shell: |
-    source /etc/platform/openrc;
-    fm alarm-list --query alarm_id=250.001
-  register: alarm_count
-  retries: 6
-  delay: 30
-  until: alarm_count.stdout == ""
-  # set as false to allow for a better error message in the fail task below
-  failed_when: false
+- block:
+  - name: Check admin-ep-cert.pem updated
+    command: stat -c %Y "/etc/ssl/private/{{ sc_adminep_cert }}"
+    register: adminep_cert_modify_time
+    until: adminep_cert_modify_time.stdout|int > (start_time.stdout|int + 1)
+    retries: 63
+    delay: 10
 
-- name: Failed when the manifest apply times out
-  fail:
-    msg: >-
-      Timed out to update DC subcloud cert. Check the cert-mon.log on the
-      subcloud controller for the reason.
-  when: alarm_count.stdout != ""
+  - name: Check haproxy service restarted
+    shell: >-
+      date --date="$(ps -p $(ps -eo pid,cmd | grep haproxy |
+      awk 'NR==1{print $1}') -o lstart=)" '+%s'
+    register: haproxy_start_time
+    until: haproxy_start_time.stdout > start_time.stdout
+    retries: 6
+    delay: 10
+
+  - name: Check manifest applied and alarm cleared
+    shell: |
+      source /etc/platform/openrc;
+      fm alarm-list --query alarm_id=250.001
+    register: alarm_count
+    retries: 6
+    delay: 30
+    until: alarm_count.stdout == ""
+    # set as false to allow for a better error message in the fail task below
+    failed_when: false
+
+  - name: Failed when the manifest apply times out
+    fail:
+      msg: >-
+        Timed out to update DC subcloud cert. Check the cert-mon.log on the
+        subcloud controller for the reason.
+    when: alarm_count.stdout != ""
+
+  when: mode != "enroll"
 
 - name: Restart sysinv-conductor
   command: sm-restart service sysinv-conductor
diff --git a/playbookconfig/src/playbooks/roles/rehome-subcloud/update-ca-cert/tasks/main.yml b/playbookconfig/src/playbooks/roles/rehome-subcloud/update-ca-cert/tasks/main.yml
index 36831597b..41606011d 100644
--- a/playbookconfig/src/playbooks/roles/rehome-subcloud/update-ca-cert/tasks/main.yml
+++ b/playbookconfig/src/playbooks/roles/rehome-subcloud/update-ca-cert/tasks/main.yml
@@ -13,5 +13,4 @@
     name: common/install-platform-certificates
   vars:
     kubeadm_pki_dir: /etc/kubernetes/pki
-    mode: 'rehoming'
     system_local_ca_overrides: false