diff --git a/salt/elasticfleet/enabled.sls b/salt/elasticfleet/enabled.sls
index 82c7735db..320b6d6b6 100644
--- a/salt/elasticfleet/enabled.sls
+++ b/salt/elasticfleet/enabled.sls
@@ -68,11 +68,6 @@ so-elastic-fleet:
       - /etc/pki/elasticfleet-server.crt:/etc/pki/elasticfleet-server.crt:ro
       - /etc/pki/elasticfleet-server.key:/etc/pki/elasticfleet-server.key:ro
       - /etc/pki/tls/certs/intca.crt:/etc/pki/tls/certs/intca.crt:ro
-      {% if GLOBALS.os_family == 'Debian' %}
-      - /etc/ssl/elasticfleet-server.crt:/etc/ssl/elasticfleet-server.crt:ro
-      - /etc/ssl/elasticfleet-server.key:/etc/ssl/elasticfleet-server.key:ro
-      - /etc/ssl/tls/certs/intca.crt:/etc/ssl/tls/certs/intca.crt:ro
-      {% endif %}
       - /opt/so/log/elasticfleet:/usr/share/elastic-agent/logs 
      {% if DOCKER.containers['so-elastic-fleet'].custom_bind_mounts %}
         {% for BIND in DOCKER.containers['so-elastic-fleet'].custom_bind_mounts %}
@@ -87,13 +82,8 @@ so-elastic-fleet:
       - FLEET_SERVER_POLICY_ID=FleetServer_{{ GLOBALS.hostname }}
       - FLEET_SERVER_CERT=/etc/pki/elasticfleet-server.crt
       - FLEET_SERVER_CERT_KEY=/etc/pki/elasticfleet-server.key
-      {% if GLOBALS.os_family == 'Debian' %}
-      - FLEET_CA=/etc/ssl/certs/intca.crt     
-      - FLEET_SERVER_ELASTICSEARCH_CA=/etc/ssl/certs/intca.crt
-      {% else %}
-      - FLEET_CA=/etc/pki/tls/certs/intca.crt
+      - FLEET_CA=/etc/pki/tls/certs/intca.crt     
       - FLEET_SERVER_ELASTICSEARCH_CA=/etc/pki/tls/certs/intca.crt
-      {% endif %}
       - LOGS_PATH=logs
       {% if DOCKER.containers['so-elastic-fleet'].extra_env %}
         {% for XTRAENV in DOCKER.containers['so-elastic-fleet'].extra_env %}
diff --git a/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers b/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers
index d7d6458c9..c935521fd 100755
--- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers
+++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers
@@ -65,7 +65,7 @@ do
     if [[ $GOOS == 'darwin/arm64' ]]; then GOOS="darwin" && GOARCH="arm64"; fi
     printf "\n\n### Generating $GOOS/$GOARCH Installer...\n"
     docker run -e CGO_ENABLED=0 -e GOOS=$GOOS -e GOARCH=$GOARCH \
-    --mount type=bind,source=/etc/ssl/certs/,target=/workspace/files/cert/ \
+    --mount type=bind,source=/etc/pki/tls/certs/,target=/workspace/files/cert/ \
     --mount type=bind,source=/nsm/elastic-agent-workspace/,target=/workspace/files/elastic-agent/ \
     --mount type=bind,source=/opt/so/saltstack/local/salt/elasticfleet/files/so_agent-installers/,target=/output/ \
     {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elastic-agent-builder:{{ GLOBALS.so_version }} go build -ldflags "-X main.fleetHostURLsList=$FLEETHOST -X main.enrollmentToken=$ENROLLMENTOKEN"  -o /output/so-elastic-agent_${GOOS}_${GOARCH}
diff --git a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup
index ac0ce4db9..83a155ae6 100755
--- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup
+++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup
@@ -6,11 +6,7 @@
 # this file except in compliance with the Elastic License 2.0.
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 
-{% if GLOBALS.os_family == 'Debian' %}
-INTCA=/etc/ssl/certs/intca.crt
-{% else %}
 INTCA=/etc/pki/tls/certs/intca.crt
-{% endif %}
 
 . /usr/sbin/so-elastic-fleet-common
 
diff --git a/salt/elasticsearch/enabled.sls b/salt/elasticsearch/enabled.sls
index e28ca5fdf..8baff4901 100644
--- a/salt/elasticsearch/enabled.sls
+++ b/salt/elasticsearch/enabled.sls
@@ -59,7 +59,7 @@ so-elasticsearch:
       {% if GLOBALS.is_manager %}
       - /etc/pki/ca.crt:/usr/share/elasticsearch/config/ca.crt:ro
       {% else %}
-      - /etc/ssl/certs/intca.crt:/usr/share/elasticsearch/config/ca.crt:ro
+      - /etc/pki/tls/certs/intca.crt:/usr/share/elasticsearch/config/ca.crt:ro
       {% endif %}
       - /etc/pki/elasticsearch.crt:/usr/share/elasticsearch/config/elasticsearch.crt:ro
       - /etc/pki/elasticsearch.key:/usr/share/elasticsearch/config/elasticsearch.key:ro
diff --git a/salt/logstash/enabled.sls b/salt/logstash/enabled.sls
index 731ad4ca3..c76f81d21 100644
--- a/salt/logstash/enabled.sls
+++ b/salt/logstash/enabled.sls
@@ -73,7 +73,7 @@ so-logstash:
       {% if GLOBALS.role in ['so-manager', 'so-managersearch', 'so-standalone', 'so-import'] %}
       - /etc/pki/ca.crt:/usr/share/filebeat/ca.crt:ro
       {% else %}
-      - /etc/ssl/certs/intca.crt:/usr/share/filebeat/ca.crt:ro
+      - /etc/pki/tls/certs/intca.crt:/usr/share/filebeat/ca.crt:ro
       {% endif %}
       {% if GLOBALS.role in ['so-manager', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode', 'so-searchnode'] %}
       - /opt/so/conf/ca/cacerts:/etc/pki/ca-trust/extracted/java/cacerts:ro
diff --git a/salt/redis/enabled.sls b/salt/redis/enabled.sls
index 2a4f5a179..4c452bec0 100644
--- a/salt/redis/enabled.sls
+++ b/salt/redis/enabled.sls
@@ -33,7 +33,7 @@ so-redis:
       {% if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-import'] %}
       - /etc/pki/ca.crt:/certs/ca.crt:ro
       {% else %}
-      - /etc/ssl/certs/intca.crt:/certs/ca.crt:ro
+      - /etc/pki/certs/intca.crt:/certs/ca.crt:ro
       {% endif %}
       {% if DOCKER.containers['so-redis'].custom_bind_mounts %}
         {% for BIND in DOCKER.containers['so-redis'].custom_bind_mounts %}
diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls
index 4e48688f3..ef93a9072 100644
--- a/salt/ssl/init.sls
+++ b/salt/ssl/init.sls
@@ -36,14 +36,24 @@ include:
     {% set ca_server = global_ca_server[0] %}
 {% endif %}
 
-
+cacertdir:
+  file.directory:
+    - name: /etc/pki/tls/certs
+    - makedirs: True
 
 # Trust the CA
 trusttheca:
   x509.pem_managed:
-    - name: /etc/ssl/certs/intca.crt
+    - name: /etc/pki/tls/certs/intca.crt
     - text:  {{ trusttheca_text }}
 
+{% if GLOBALS.os_family == 'Debian' %}
+symlinkca:
+  file.symlink:
+    - target: /etc/pki/tls/certs/intca.crt
+    - name: /etc/ssl/certs/intca.crt
+{% endif %}
+
 # Install packages needed for the sensor
 m2cryptopkgs:
   pkg.installed:
diff --git a/salt/ssl/remove.sls b/salt/ssl/remove.sls
index 4eb0eb442..43a245288 100644
--- a/salt/ssl/remove.sls
+++ b/salt/ssl/remove.sls
@@ -1,6 +1,6 @@
 trusttheca:
   file.absent:
-    - name: /etc/ssl/certs/intca.crt
+    - name: /etc/pki/tls/certs/intca.crt
 
 influxdb_key:
   file.absent:
diff --git a/salt/telegraf/enabled.sls b/salt/telegraf/enabled.sls
index 598587e17..d55e536d6 100644
--- a/salt/telegraf/enabled.sls
+++ b/salt/telegraf/enabled.sls
@@ -46,7 +46,7 @@ so-telegraf:
       {% if GLOBALS.role in ['so-manager', 'so-eval', 'so-managersearch' ] %}
       - /etc/pki/ca.crt:/etc/telegraf/ca.crt:ro
       {% else %}
-      - /etc/ssl/certs/intca.crt:/etc/telegraf/ca.crt:ro
+      - /etc/pki/tls/certs/intca.crt:/etc/telegraf/ca.crt:ro
       {% endif %}
       - /etc/pki/influxdb.crt:/etc/telegraf/telegraf.crt:ro
       - /etc/pki/influxdb.key:/etc/telegraf/telegraf.key:ro