diff --git a/manifests/application.pp b/manifests/application.pp
index a2c85de5..2aa87883 100644
--- a/manifests/application.pp
+++ b/manifests/application.pp
@@ -23,29 +23,24 @@
   Stdlib::Absolutepath $repo_export_dir = '/var/lib/pulp/katello-export',
 ) {
   include foreman
-  include certs
-  include certs::apache
-  include certs::candlepin
-  include certs::foreman
-  include certs::pulp_client
   include katello::params
 
+  file { '/etc/foreman_pki/foreman/foreman-to-pulp.key':
+    owner => $foreman::user,
+  } ~>
   foreman_config_entry { 'pulp_client_cert':
-    value          => $certs::pulp_client::client_cert,
+    value          => '/etc/foreman_pki/foreman/foreman-to-pulp.crt',
     ignore_missing => false,
-    require        => [Class['certs::pulp_client'], Foreman::Rake['db:seed']],
-  }
-
+    require        => Foreman::Rake['db:seed'],
+  } ~>
   foreman_config_entry { 'pulp_client_key':
-    value          => $certs::pulp_client::client_key,
+    value          => '/etc/foreman_pki/foreman/foreman-to-pulp.key',
     ignore_missing => false,
-    require        => [Class['certs::pulp_client'], Foreman::Rake['db:seed']],
+    require        => Foreman::Rake['db:seed'],
   }
 
   include foreman::plugin::tasks
 
-  Class['certs', 'certs::ca', 'certs::apache'] ~> Class['apache::service']
-
   # Used in katello.yaml.erb
   $enable_ostree = $katello::params::enable_ostree
   $enable_yum = $katello::params::enable_yum
@@ -54,19 +49,26 @@
   $enable_docker = $katello::params::enable_docker
   $enable_deb = $katello::params::enable_deb
   $pulp_url = $katello::params::pulp_url
-  $pulp_ca_cert = $certs::katello_server_ca_cert # TODO: certs::apache::...
+  $pulp_ca_cert = '/etc/foreman_pki/ca/ca.crt'
+
   $candlepin_url = $katello::params::candlepin_url
   $candlepin_oauth_key = $katello::params::candlepin_oauth_key
   $candlepin_oauth_secret = $katello::params::candlepin_oauth_secret
-  $candlepin_ca_cert = $certs::ca_cert
-  $candlepin_events_ssl_cert = $certs::candlepin::client_cert
-  $candlepin_events_ssl_key = $certs::candlepin::client_key
+  $candlepin_ca_cert = '/etc/foreman_pki/ca/ca.crt'
+  $candlepin_events_ssl_cert = '/etc/foreman_pki/foreman/foreman-to-candlepin.crt'
+  $candlepin_events_ssl_key = '/etc/foreman_pki/foreman/foreman-to-candlepin.key'
+
   $crane_url = $katello::params::crane_url
-  $crane_ca_cert = $certs::katello_server_ca_cert
+  $crane_ca_cert = '/etc/foreman_pki/ca/ca.crt'
+
   $postgresql_debversion_package = $katello::params::postgresql_debversion_package
   $postgresql_evr_package = $katello::params::postgresql_evr_package
   $manage_db = $foreman::db_manage
 
+  file { $candlepin_events_ssl_key:
+    owner => $foreman::user,
+  }
+
   # Katello database seeding needs candlepin
   Anchor <| title == 'katello::repo' or title ==  'katello::candlepin' |> ->
   foreman::plugin { 'katello':
diff --git a/manifests/candlepin.pp b/manifests/candlepin.pp
index ec907cc8..4a759c75 100644
--- a/manifests/candlepin.pp
+++ b/manifests/candlepin.pp
@@ -26,25 +26,26 @@
   Boolean $db_ssl = false,
   Boolean $db_ssl_verify = true,
   Boolean $manage_db = true,
+  Stdlib::Absolutepath $ca_cert = '/etc/foreman_pki/certs/candlepin/ca.crt',
+  Stdlib::Absolutepath $ca_key = '/etc/foreman_pki/certs/candlepin/ca.key',
+  Stdlib::Absolutepath $keystore_file = '/etc/foreman_pki/certs/tomcat/keystore',
+  Stdlib::Absolutepath $keystore_password_file = '/etc/foreman_pki/certs/tomcat/password',
+  Stdlib::Absolutepath $truststore_file = '/etc/foreman_pki/certs/artemis/truststore',
+  Stdlib::Absolutepath $truststore_password_file = '/etc/foreman_pki/certs/artemis/password',
 ) {
-  include certs
   include katello::params
 
-  class { 'certs::candlepin':
-    hostname => $katello::params::candlepin_host,
-  }
-
   class { 'candlepin':
     host                         => $katello::params::candlepin_host,
-    user_groups                  => $certs::candlepin::group,
     oauth_key                    => $katello::params::candlepin_oauth_key,
     oauth_secret                 => $katello::params::candlepin_oauth_secret,
-    ca_key                       => $certs::candlepin::ca_key,
-    ca_cert                      => $certs::candlepin::ca_cert,
-    keystore_file                => $certs::candlepin::keystore,
-    keystore_password            => $certs::candlepin::keystore_password,
-    truststore_password          => $certs::candlepin::keystore_password,
-    artemis_client_dn            => $certs::candlepin::artemis_client_dn,
+    ca_key                       => $ca_key,
+    ca_cert                      => $ca_cert,
+    keystore_file                => $keystore_file,
+    keystore_password            => file($keystore_password_file),
+    truststore_file              => $truststore_file,
+    truststore_password          => file($truststore_password_file),
+    artemis_client_dn            => "CN=${katello::params::candlepin_host}",
     enable_basic_auth            => false,
     consumer_system_name_pattern => '.+',
     adapter_module               => 'org.candlepin.katello.KatelloModule',
@@ -56,7 +57,6 @@
     db_ssl                       => $db_ssl,
     db_ssl_verify                => $db_ssl_verify,
     manage_db                    => $manage_db,
-    subscribe                    => Class['certs', 'certs::candlepin'],
   } ->
   anchor { 'katello::candlepin': } # lint:ignore:anchor_resource