diff --git a/app/lib/katello/resources/candlepin.rb b/app/lib/katello/resources/candlepin.rb
index ad70118f1c3..f9c3b0f5bfe 100644
--- a/app/lib/katello/resources/candlepin.rb
+++ b/app/lib/katello/resources/candlepin.rb
@@ -11,7 +11,7 @@ class CandlepinResource < HttpResource
         self.site = "#{uri.scheme}://#{uri.host}:#{uri.port}"
         self.consumer_secret = cfg[:oauth_secret]
         self.consumer_key = cfg[:oauth_key]
-        self.ssl_ca_file = cfg[:ca_cert_file]
+        self.ssl_ca_file = ::Cert::Certs.backend_ca_cert_file(:candlepin)
 
         class << self
           def process_response(response)
diff --git a/app/lib/katello/resources/registry.rb b/app/lib/katello/resources/registry.rb
index d7c74acc548..86ce3bdba45 100644
--- a/app/lib/katello/resources/registry.rb
+++ b/app/lib/katello/resources/registry.rb
@@ -54,8 +54,7 @@ def load_class
             uri = URI.parse(content_app_url)
             self.prefix = "/pulpcore_registry/"
             self.site = "#{uri.scheme}://#{uri.host}:#{uri.port}"
-            self.ssl_ca_file = Setting[:ssl_ca_file]
-            pulp_primary.pulp3_ssl_configuration(self, :net_http)
+            self.ssl_ca_file = pulp_primary.pulp3_ssl_configuration(self, :net_http)
 
             self
           end
diff --git a/app/models/katello/concerns/smart_proxy_extensions.rb b/app/models/katello/concerns/smart_proxy_extensions.rb
index 5d3aa9f1d59..f13bc57889c 100644
--- a/app/models/katello/concerns/smart_proxy_extensions.rb
+++ b/app/models/katello/concerns/smart_proxy_extensions.rb
@@ -252,6 +252,7 @@ def pulp3_configuration(config_class)
       end
 
       def pulp3_ssl_configuration(config, connection_adapter = Faraday.default_adapter)
+        config.ssl_ca_file = ::Cert::Certs.backend_ca_cert_file(:pulp)
         case connection_adapter
         when :excon
           config.ssl_client_cert = ::Cert::Certs.ssl_client_cert_filename
diff --git a/app/models/katello/ping.rb b/app/models/katello/ping.rb
index 3d78229167f..3eb1bac4500 100644
--- a/app/models/katello/ping.rb
+++ b/app/models/katello/ping.rb
@@ -252,12 +252,11 @@ def fetch_proxy(capsule_id)
       end
 
       def backend_status(url, backend)
-        ca_file = SETTINGS[:katello][backend][:ca_cert_file]
+        ca_file = ::Cert::Certs.backend_ca_cert_file(backend)
         request_id = ::Logging.mdc['request']
 
         options = {}
         options[:ssl_ca_file] = ca_file unless ca_file.nil?
-        options[:verify_ssl] = SETTINGS[:katello][backend][:verify_ssl] if SETTINGS[:katello][backend].key?(:verify_ssl)
         options[:headers] = { 'Correlation-ID' => request_id } if request_id
         client = RestClient::Resource.new("#{url}/status/", options)
 
diff --git a/app/services/cert/certs.rb b/app/services/cert/certs.rb
index a611f8b5aa8..4ccc60b4276 100644
--- a/app/services/cert/certs.rb
+++ b/app/services/cert/certs.rb
@@ -9,7 +9,7 @@ def self.ca_cert
     end
 
     def self.candlepin_client_ca_cert
-      File.read(SETTINGS[:katello][:candlepin][:ca_cert_file])
+      File.read(backend_ca_cert_file(:candlepin))
     end
 
     def self.ssl_client_cert
@@ -28,10 +28,14 @@ def self.ssl_client_key_filename
       Setting[:ssl_priv_key]
     end
 
+    def self.backend_ca_cert_file(backend)
+      SETTINGS.dig(:katello, backend, :ca_cert_file) || Setting[:ssl_ca_file]
+    end
+
     def self.verify_ueber_cert(organization)
       ueber_cert = OpenSSL::X509::Certificate.new(self.ueber_cert(organization)[:cert])
       cert_store = OpenSSL::X509::Store.new
-      cert_store.add_file SETTINGS[:katello][:candlepin][:ca_cert_file]
+      cert_store.add_file backend_ca_cert_file(:candlepin)
       organization.regenerate_ueber_cert unless cert_store.verify ueber_cert
     end
   end
diff --git a/config/katello.yaml.example b/config/katello.yaml.example
index e7de21ac536..2ce31b9e1f1 100644
--- a/config/katello.yaml.example
+++ b/config/katello.yaml.example
@@ -17,22 +17,16 @@
     :oauth_key: katello
     :oauth_secret: katello
 
-    # refers to the candlepin-ca.crt location that is needed
-    # to connect to candlepin over https.This is not necessary
-    # if the candlepin server is running on the same machine as katello
-    # but required if the server is on a different machine.
-    # In the different machine case the katello host needs to have a
-    # copy of /etc/candlepin/certs/candlepin-ca.crt copied from
-    # the candlepin host and the location of the copied file needs to be
-    # specified here..
+    # Optional CA file to user to verify HTTPS connections to Candlepin. If not
+    # specified, Foreman's ssl_ca_file setting is used.
     :ca_cert_file:
     # :bulk_load_size: 1000
   # Setup your pulp environment here
   :pulp:
     :sync_threads: 4
     # refers to the apache certificate
-    # (typically /etc/pki/tls/certs/localhost.crt) location that is needed
-    # to connect to pulp over https.
+    # Optional CA file to user to verify HTTPS connections to Candlepin. If not
+    # specified, Foreman's ssl_ca_file setting is used.
     :ca_cert_file:
     :default_login: admin
     :sync_KBlimit: