diff --git a/inventory/group_vars/all b/inventory/group_vars/all
index a04e74a14e..5321ecb7dc 100644
--- a/inventory/group_vars/all
+++ b/inventory/group_vars/all
@@ -281,6 +281,11 @@ ocp_wildcard_cert_file: wildcard-2021.apps.ocp.fedoraproject.org.cert
 ocp_wildcard_key_file: wildcard-2021.apps.ocp.fedoraproject.org.key
 ocp_wildcard_int_file: wildcard-2021.apps.ocp.fedoraproject.org.intermediate.cert
 
+# This is the mirrors.centos.org certs
+mirrors_centos_org_cert_name: mirrors.centos.org
+mirrors_centos_org_cert_file: mirrors.centos.org.cert
+mirrors_centos_org_key_file: mirrors.centos.org.key
+
 # Everywhere, always, we should sign messages and validate signatures.
 # However, we allow individual hosts and groups to override this.  Use this very
 # carefully.. and never in production (good for testing stuff in staging).
diff --git a/playbooks/include/proxies-certificates.yml b/playbooks/include/proxies-certificates.yml
index fee0f1f83a..be9d518394 100644
--- a/playbooks/include/proxies-certificates.yml
+++ b/playbooks/include/proxies-certificates.yml
@@ -69,10 +69,12 @@
 
   - role: httpd/certificate
     certname: mirrors.centos.org
+    SSLCertificateChainFile: mirrors.centos.org.intermediate.cert
     when: env != "staging"
 
   - role: httpd/certificate
     certname: mirrors.stg.centos.org
+    SSLCertificateChainFile: mirrors.stg.centos.org.intermediate.cert
     when: env == "staging"
 
   # - role: httpd/certificate