diff --git a/deployment/nova/nova-libvirt-container-puppet.yaml b/deployment/nova/nova-libvirt-container-puppet.yaml
index 2863e0a4f4..ee3c3d3d38 100644
--- a/deployment/nova/nova-libvirt-container-puppet.yaml
+++ b/deployment/nova/nova-libvirt-container-puppet.yaml
@@ -102,7 +102,7 @@ parameters:
     type: string
     description: Specifies the CA cert to use for NBD TLS.
   InternalTLSVncCAFile:
-    default: '/etc/pki/CA/certs/vnc.crt'
+    default: '/etc/ipa/ca.crt'
     type: string
     description: Specifies the CA cert to use for VNC TLS.
   InternalTLSQemuCAFile:
diff --git a/deployment/nova/nova-vnc-proxy-container-puppet.yaml b/deployment/nova/nova-vnc-proxy-container-puppet.yaml
index dcf0468834..46c5d5a390 100644
--- a/deployment/nova/nova-vnc-proxy-container-puppet.yaml
+++ b/deployment/nova/nova-vnc-proxy-container-puppet.yaml
@@ -51,7 +51,7 @@ parameters:
                  enable TLS transaport for libvirt VNC and configure the
                  relevant keys for libvirt.
   InternalTLSVncCAFile:
-    default: '/etc/pki/CA/certs/vnc.crt'
+    default: '/etc/ipa/ca.crt'
     type: string
     description: Specifies the CA cert to use for VNC TLS.
   LibvirtVncCACert:
diff --git a/releasenotes/notes/nova_point_InternalTLSVncCAFile_to_ipa_ca-23830eab2b91fdf8.yaml b/releasenotes/notes/nova_point_InternalTLSVncCAFile_to_ipa_ca-23830eab2b91fdf8.yaml
new file mode 100644
index 0000000000..f8f832186f
--- /dev/null
+++ b/releasenotes/notes/nova_point_InternalTLSVncCAFile_to_ipa_ca-23830eab2b91fdf8.yaml
@@ -0,0 +1,10 @@
+---
+fixes:
+  - |
+    In case the freeipa CA is a sub CA of an external CA the InternalTLSVncCAFile
+    requrested does not have the full CA chain and only have the free IPA
+    CA. As a result qemu which can not verify the vnc certificate sent by
+    the vnc-proxy. The issue is in certmonger as it does not return the full
+    CA chain.
+    As a workaround, until certmonger is fixed, this change points the
+    InternalTLSVncCAFile to /etc/ipa/ca.crt which has the full CA chain.