diff --git a/dev/functions b/dev/functions
index 0e9940238b049b5ec8f75843ca69421d10ab4367..bd319be89adcedb4329c28dc4debed94f79903f8 100644
--- a/dev/functions
+++ b/dev/functions
@@ -404,6 +404,17 @@ function overcloud_deploy {
     if [[ ${KAYOBE_OVERCLOUD_GENERATE_CERTIFICATES} = 1 ]]; then
         echo "Generate TLS certificates"
         run_kayobe kolla ansible run certificates --kolla-extra kolla_certificates_dir=${KAYOBE_CONFIG_PATH}/kolla/certificates
+        # Add CA cert to trust store.
+        ca_cert=${KAYOBE_CONFIG_PATH}/kolla/certificates/ca/root.crt
+        if [[ -e /etc/debian_version ]]; then
+            # Ubuntu
+            sudo cp $ca_cert "/usr/local/share/ca-certificates/kayobe-customca.crt"
+            sudo update-ca-certificates
+        elif [[ -e /etc/redhat-release ]]; then
+            # CentOS
+            sudo cp $ca_cert "/etc/pki/ca-trust/source/anchors/kayobe-customca.crt"
+            sudo update-ca-trust
+        fi
     fi
 
     # Note: This must currently be before host configure, because host
diff --git a/playbooks/kayobe-overcloud-base/globals.yml.j2 b/playbooks/kayobe-overcloud-base/globals.yml.j2
index 6ebb2af2db1c8db90dc310aa3bec6f78f0b495d2..7de112f61a2f694271c34dfe0060d619c06ed109 100644
--- a/playbooks/kayobe-overcloud-base/globals.yml.j2
+++ b/playbooks/kayobe-overcloud-base/globals.yml.j2
@@ -20,6 +20,6 @@ nova_libvirt_logging_debug: False
 kolla_copy_ca_into_containers: "yes"
 kolla_enable_tls_backend: "yes"
 openstack_cacert: "/etc/pki/tls/certs/ca-bundle.crt"
-kolla_admin_openrc_cacert: "{% raw %}{{ '{{' }} kolla_certificates_dir }}{% endraw %}/ca/root.crt"
+kolla_admin_openrc_cacert: "/etc/pki/tls/certs/ca-bundle.crt"
 libvirt_tls: "yes"
 {% endif %}
diff --git a/playbooks/kayobe-overcloud-base/overrides.yml.j2 b/playbooks/kayobe-overcloud-base/overrides.yml.j2
index ab14f9940a2590e2ecf0dd3d9dc5ef8c63a97d15..58ce039acb12003b298803fa91b784060c6aad50 100644
--- a/playbooks/kayobe-overcloud-base/overrides.yml.j2
+++ b/playbooks/kayobe-overcloud-base/overrides.yml.j2
@@ -45,9 +45,6 @@ kolla_ironic_default_boot_interface: ipxe
 kolla_enable_tls_external: "yes"
 kolla_enable_tls_internal: "yes"
 
-# FIXME: ipa-images fails to access OS_CACERT from /home/zuul.
-kayobe_ansible_user: zuul
-
 kolla_ironic_pxe_append_params_extra:
   - ipa-insecure=1
 {% endif %}