diff --git a/branding/handlers/main.yml b/branding/handlers/main.yml
index aff3f5035df29721b12cd3d04c6d245bb9a4052c..32fd08d64e0f6fc41b32f628baf34e116db6bc4a 100644
--- a/branding/handlers/main.yml
+++ b/branding/handlers/main.yml
@@ -2,3 +2,6 @@
 
 - name: update apt cache
   apt: update_cache=yes
+
+- name: update CA certificates
+  command: /usr/sbin/update-ca-certificates
diff --git a/branding/tasks/main.yml b/branding/tasks/main.yml
index 9b0e73b5d9cd325df986fcdf202e5667c1c59327..be363509f2c2df6d90c34694070c2698a7f7be6a 100644
--- a/branding/tasks/main.yml
+++ b/branding/tasks/main.yml
@@ -43,7 +43,7 @@
 
 - name: ensure dir for CA certs exisits
   file:
-    path: /etc/ssl/certs
+    path: /usr/local/share/ca-certificates
     state: directory
     owner: root
     group: root
@@ -56,12 +56,26 @@
 - name: ensure deployment of CA certificates
   copy:
     src: "{{ item }}"
-    dest: "/etc/ssl/certs/{{ item|basename }}"
+    dest: "/usr/local/share/ca-certificates/{{ item|basename }}"
     owner: root
     group: root
     mode: '0644'
   with_items: "{{ branding_cacerts }}"
   when: branding_cacerts is defined
+  notify: update CA certificates
+  tags:
+    - branding
+    - tls
+
+- name: remove CA certificates with broken path
+  file:
+    path: "/etc/ssl/certs/{{ item }}"
+    state: absent
+  notify: update CA certificates
+  with_items:
+    - rwth_chain.pem
+    - rwth_chain_g2.pem
+    - asta_ca.pem
   tags:
     - branding
     - tls