diff --git a/api/go.mod b/api/go.mod
index 5ecc99013..d23f47988 100644
--- a/api/go.mod
+++ b/api/go.mod
@@ -69,4 +69,4 @@ require (
 // must consistent within modules and service operators
 replace github.com/openshift/api => github.com/openshift/api v0.0.0-20230414143018-3367bc7e6ac7 //allow-merging
 
-replace github.com/openstack-k8s-operators/lib-common/modules/common => github.com/deydra71/lib-common/modules/common v0.0.0-20231221132238-bb04f7477236
+replace github.com/openstack-k8s-operators/lib-common/modules/common => github.com/deydra71/lib-common/modules/common v0.0.0-20240108150456-e7962ed7031f
diff --git a/api/go.sum b/api/go.sum
index 0003d159c..cf2475b0f 100644
--- a/api/go.sum
+++ b/api/go.sum
@@ -62,8 +62,8 @@ github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ3
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/deydra71/lib-common/modules/common v0.0.0-20231221132238-bb04f7477236 h1:Fo59uOmrnWdVX9WanZofoB2YnmlxDP2wbm7jHGgBIOA=
-github.com/deydra71/lib-common/modules/common v0.0.0-20231221132238-bb04f7477236/go.mod h1:YgWd1xXF9VgsfPIwkCv3Q0j2akpnojs9zgso87tvCXY=
+github.com/deydra71/lib-common/modules/common v0.0.0-20240108150456-e7962ed7031f h1:1DOq6SRvQLbPRrwtoZuA3UyQPMLNYqM2VyNX6JYKgmo=
+github.com/deydra71/lib-common/modules/common v0.0.0-20240108150456-e7962ed7031f/go.mod h1:ov4lAbniNUsLqZCBp1RTixpqXc8JlzA5B+yTcCkJXQg=
 github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE=
 github.com/emicklei/go-restful/v3 v3.10.1 h1:rc42Y5YTp7Am7CS630D7JmhRjq4UlEUuEKfrDac4bSQ=
 github.com/emicklei/go-restful/v3 v3.10.1/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
diff --git a/go.mod b/go.mod
index 92eedad10..c3926d636 100644
--- a/go.mod
+++ b/go.mod
@@ -89,4 +89,4 @@ replace github.com/openstack-k8s-operators/nova-operator/api => ./api
 // must consistent within modules and service operators
 replace github.com/openshift/api => github.com/openshift/api v0.0.0-20230414143018-3367bc7e6ac7 //allow-merging
 
-replace github.com/openstack-k8s-operators/lib-common/modules/common => github.com/deydra71/lib-common/modules/common v0.0.0-20231221132238-bb04f7477236
+replace github.com/openstack-k8s-operators/lib-common/modules/common => github.com/deydra71/lib-common/modules/common v0.0.0-20240108150456-e7962ed7031f
diff --git a/go.sum b/go.sum
index 2ee18abfd..9b0645ff9 100644
--- a/go.sum
+++ b/go.sum
@@ -63,8 +63,8 @@ github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ3
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/deydra71/lib-common/modules/common v0.0.0-20231221132238-bb04f7477236 h1:Fo59uOmrnWdVX9WanZofoB2YnmlxDP2wbm7jHGgBIOA=
-github.com/deydra71/lib-common/modules/common v0.0.0-20231221132238-bb04f7477236/go.mod h1:YgWd1xXF9VgsfPIwkCv3Q0j2akpnojs9zgso87tvCXY=
+github.com/deydra71/lib-common/modules/common v0.0.0-20240108150456-e7962ed7031f h1:1DOq6SRvQLbPRrwtoZuA3UyQPMLNYqM2VyNX6JYKgmo=
+github.com/deydra71/lib-common/modules/common v0.0.0-20240108150456-e7962ed7031f/go.mod h1:ov4lAbniNUsLqZCBp1RTixpqXc8JlzA5B+yTcCkJXQg=
 github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE=
 github.com/emicklei/go-restful/v3 v3.10.1 h1:rc42Y5YTp7Am7CS630D7JmhRjq4UlEUuEKfrDac4bSQ=
 github.com/emicklei/go-restful/v3 v3.10.1/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
diff --git a/pkg/nova/cellmapping.go b/pkg/nova/cellmapping.go
index 55976eb12..addc768d1 100644
--- a/pkg/nova/cellmapping.go
+++ b/pkg/nova/cellmapping.go
@@ -68,11 +68,6 @@ func CellMappingJob(
 					RestartPolicy:      corev1.RestartPolicyOnFailure,
 					ServiceAccountName: instance.RbacResourceName(),
 					Volumes:            volumes,
-					SecurityContext: &corev1.PodSecurityContext{
-						// since we run as NovaUserID, e.g. certs need to be
-						// readable by the user, instead of root
-						FSGroup: ptr.To(NovaUserID),
-					},
 					Containers: []corev1.Container{
 						{
 							Name: "nova-manage",
diff --git a/pkg/nova/host_discover.go b/pkg/nova/host_discover.go
index c0292e5a4..3690528df 100644
--- a/pkg/nova/host_discover.go
+++ b/pkg/nova/host_discover.go
@@ -80,11 +80,6 @@ func HostDiscoveryJob(
 					RestartPolicy:      corev1.RestartPolicyOnFailure,
 					ServiceAccountName: instance.Spec.ServiceAccount,
 					Volumes:            volumes,
-					SecurityContext: &corev1.PodSecurityContext{
-						// since we run as NovaUserID, e.g. certs need to be
-						// readable by the user, instead of root
-						FSGroup: ptr.To(NovaUserID),
-					},
 					Containers: []corev1.Container{
 						{
 							Name: "nova-manage",
diff --git a/pkg/novaapi/deployment.go b/pkg/novaapi/deployment.go
index d29cc5d4c..30dca1d89 100644
--- a/pkg/novaapi/deployment.go
+++ b/pkg/novaapi/deployment.go
@@ -164,11 +164,6 @@ func StatefulSet(
 				Spec: corev1.PodSpec{
 					ServiceAccountName: instance.Spec.ServiceAccount,
 					Volumes:            volumes,
-					SecurityContext: &corev1.PodSecurityContext{
-						// since we run as NovaUserID, e.g. certs need to be
-						// readable by the user, instead of root
-						FSGroup: ptr.To(nova.NovaUserID),
-					},
 					Containers: []corev1.Container{
 						// the first container in a pod is the default selected
 						// by oc log so define the log stream container first.
diff --git a/pkg/novametadata/deployment.go b/pkg/novametadata/deployment.go
index ff6c86b80..288d9bbc1 100644
--- a/pkg/novametadata/deployment.go
+++ b/pkg/novametadata/deployment.go
@@ -152,11 +152,6 @@ func StatefulSet(
 				Spec: corev1.PodSpec{
 					ServiceAccountName: instance.Spec.ServiceAccount,
 					Volumes:            volumes,
-					SecurityContext: &corev1.PodSecurityContext{
-						// since we run as NovaUserID, e.g. certs need to be
-						// readable by the user, instead of root
-						FSGroup: ptr.To(nova.NovaUserID),
-					},
 					Containers: []corev1.Container{
 						// the first container in a pod is the default selected
 						// by oc log so define the log stream container first.
diff --git a/pkg/novncproxy/deployment.go b/pkg/novncproxy/deployment.go
index a382e5078..53f57ef6e 100644
--- a/pkg/novncproxy/deployment.go
+++ b/pkg/novncproxy/deployment.go
@@ -153,11 +153,6 @@ func StatefulSet(
 				Spec: corev1.PodSpec{
 					ServiceAccountName: instance.Spec.ServiceAccount,
 					Volumes:            volumes,
-					SecurityContext: &corev1.PodSecurityContext{
-						// since we run as NovaUserID, e.g. certs need to be
-						// readable by the user, instead of root
-						FSGroup: ptr.To(nova.NovaUserID),
-					},
 					Containers: []corev1.Container{
 						{
 							Name: instance.Name + "-novncproxy",
diff --git a/templates/novaapi/config/nova-api-config.json b/templates/novaapi/config/nova-api-config.json
index 649dbd250..a11dd256c 100644
--- a/templates/novaapi/config/nova-api-config.json
+++ b/templates/novaapi/config/nova-api-config.json
@@ -31,6 +31,22 @@
             "dest": "/etc/httpd/conf.d/ssl.conf",
             "owner": "root",
             "perm": "0644"
+        },
+        {
+            "source": "/var/lib/config-data/tls/certs/*",
+            "dest": "/etc/pki/tls/certs/",
+            "owner": "root",
+            "perm": "0640",
+            "optional": true,
+            "merge": true
+        },
+        {
+            "source": "/var/lib/config-data/tls/private/*",
+            "dest": "/etc/pki/tls/private/",
+            "owner": "root",
+            "perm": "0600",
+            "optional": true,
+            "merge": true
         }
     ],
     "permissions": [
diff --git a/templates/novametadata/config/nova-metadata-config.json b/templates/novametadata/config/nova-metadata-config.json
index 8fc942ab0..591346a3e 100644
--- a/templates/novametadata/config/nova-metadata-config.json
+++ b/templates/novametadata/config/nova-metadata-config.json
@@ -31,6 +31,22 @@
       "dest": "/etc/httpd/conf.d/ssl.conf",
       "owner": "root",
       "perm": "0644"
+    },
+    {
+      "source": "/var/lib/config-data/tls/certs/*",
+      "dest": "/etc/pki/tls/certs/",
+      "owner": "root",
+      "perm": "0640",
+      "optional": true,
+      "merge": true
+    },
+    {
+      "source": "/var/lib/config-data/tls/private/*",
+      "dest": "/etc/pki/tls/private/",
+      "owner": "root",
+      "perm": "0600",
+      "optional": true,
+      "merge": true
     }
   ],
   "permissions": [
diff --git a/templates/novanovncproxy/config/nova-novncproxy-config.json b/templates/novanovncproxy/config/nova-novncproxy-config.json
index e3f5510b0..505b5e4ac 100644
--- a/templates/novanovncproxy/config/nova-novncproxy-config.json
+++ b/templates/novanovncproxy/config/nova-novncproxy-config.json
@@ -19,6 +19,22 @@
             "owner": "nova",
             "perm": "0600",
             "optional": true
+        },
+        {
+            "source": "/var/lib/config-data/tls/certs/*",
+            "dest": "/etc/pki/tls/certs/",
+            "owner": "root",
+            "perm": "0640",
+            "optional": true,
+            "merge": true
+        },
+        {
+            "source": "/var/lib/config-data/tls/private/*",
+            "dest": "/etc/pki/tls/private/",
+            "owner": "root",
+            "perm": "0600",
+            "optional": true,
+            "merge": true
         }
     ]
 }