diff --git a/playbooks/groups/buildhw.yml b/playbooks/groups/buildhw.yml
index cce9771683..3738323270 100644
--- a/playbooks/groups/buildhw.yml
+++ b/playbooks/groups/buildhw.yml
@@ -27,9 +27,7 @@
   - role: keytab/service
     kt_location: /etc/kojid/kojid.keytab
     service: compile
-    when: env == "staging" or krb_builder
 
-  tasks:
   - include: "{{ tasks }}/2fa_client.yml"
     when: not inventory_hostname.startswith('bkernel')
   - include: "{{ tasks }}/motd.yml"
diff --git a/playbooks/groups/buildvm.yml b/playbooks/groups/buildvm.yml
index 407aa6038a..c172b8885b 100644
--- a/playbooks/groups/buildvm.yml
+++ b/playbooks/groups/buildvm.yml
@@ -29,7 +29,6 @@
   - role: keytab/service
     kt_location: /etc/kojid/kojid.keytab
     service: compile
-    when: env == "staging" or krb_builder
   - role: keytab/service
     owner_user: root
     owner_group: root
diff --git a/roles/koji_builder/tasks/main.yml b/roles/koji_builder/tasks/main.yml
index 7f4e0ced35..163bcc9d8c 100644
--- a/roles/koji_builder/tasks/main.yml
+++ b/roles/koji_builder/tasks/main.yml
@@ -145,20 +145,11 @@
   - koji_builder
 # done oz/imagefactory
 
-- name: copy over koji ca cert
-  copy: src="{{ private }}/files/koji/buildercerts/fedora-ca.cert" dest=/etc/kojid/cacert.pem
-
 - name: copy over /etc/security/limits.conf
   copy: src=limits.conf dest=/etc/security/limits.conf
   tags:
   - koji_builder
 
-- name: copy over builder cert to /etc/kojid/kojibuilder.pem
-  copy: src="{{ private }}/files/koji/buildercerts/{{ inventory_hostname }}.pem" dest=/etc/kojid/kojibuilder.pem mode=600
-  when: not krb_builder
-  tags:
-  - koji_builder
-
 # oz.cfg  upstream ram and cpu definitions are not enough
 - name: oz.cfg
   copy: src=oz.cfg dest=/etc/oz/oz.cfg
diff --git a/roles/koji_builder/templates/kojid.conf b/roles/koji_builder/templates/kojid.conf
index fdfbfcf559..30df4a8582 100644
--- a/roles/koji_builder/templates/kojid.conf
+++ b/roles/koji_builder/templates/kojid.conf
@@ -66,22 +66,11 @@ from_addr=Fedora Koji Build System <buildsys@fedoraproject.org>
 
 ;configuration for SSL athentication
 
-{% if env == "staging" or krb_builder %}
 ; Kerberos configuration
 host_principal_format = compile/%s@{{ ipa_realm }}
 keytab = /etc/kojid/kojid.keytab
 krbservice = host
 krb_rdns = false
-{% else %}
-;client certificate - puppet generated
-cert = /etc/kojid/kojibuilder.pem
-{% endif %}
-
-;certificate of the CA that issued the client certificate
-ca = /etc/kojid/cacert.pem
-
-;certificate of the CA that issued the HTTP server certificate
-serverca = /etc/kojid/cacert.pem
 
 {% if 'runroot' in group_names %}
 ; Config for it lives in /etc/kojid/runroot.conf