diff --git a/playbookconfig/src/playbooks/roles/enroll-subcloud/complete-enrollment/tasks/main.yml b/playbookconfig/src/playbooks/roles/enroll-subcloud/complete-enrollment/tasks/main.yml
index fd5c2654e..64f514b6d 100644
--- a/playbookconfig/src/playbooks/roles/enroll-subcloud/complete-enrollment/tasks/main.yml
+++ b/playbookconfig/src/playbooks/roles/enroll-subcloud/complete-enrollment/tasks/main.yml
@@ -44,3 +44,9 @@
   file:
     path: "{{ subcloud_enrollment_completed_flag }}"
     state: touch
+
+- name: Clear enrollment_in_progress flag
+  file:
+    path: /var/run/.enrollment_in_progress
+    state: absent
+  become: true
diff --git a/playbookconfig/src/playbooks/roles/rehome-enroll-common/prepare-env/tasks/main.yml b/playbookconfig/src/playbooks/roles/rehome-enroll-common/prepare-env/tasks/main.yml
index 33087e989..63beac6b1 100644
--- a/playbookconfig/src/playbooks/roles/rehome-enroll-common/prepare-env/tasks/main.yml
+++ b/playbookconfig/src/playbooks/roles/rehome-enroll-common/prepare-env/tasks/main.yml
@@ -8,6 +8,13 @@
 #   the next step.
 #
 
+- name: Set enrollment_in_progress flag
+  file:
+    path: /var/run/.enrollment_in_progress
+    state: touch
+  become: true
+  when: mode is defined and mode == "enroll"
+
 - name: Set config path facts
   set_fact:
     config_permdir: "{{ platform_path + '/config/' + software_version }}"
diff --git a/playbookconfig/src/playbooks/roles/rehome-enroll-common/update-keystone-data/files/update_keystone_keyring_passwords.py b/playbookconfig/src/playbooks/roles/rehome-enroll-common/update-keystone-data/files/update_keystone_keyring_passwords.py
index 13c67c8df..79550addc 100644
--- a/playbookconfig/src/playbooks/roles/rehome-enroll-common/update-keystone-data/files/update_keystone_keyring_passwords.py
+++ b/playbookconfig/src/playbooks/roles/rehome-enroll-common/update-keystone-data/files/update_keystone_keyring_passwords.py
@@ -35,10 +35,11 @@ def print_with_timestamp(*args, **kwargs):
 class OpenStackClient:
     """Client to interact with OpenStack Keystone."""
 
-    def __init__(self) -> None:
+    def __init__(self, verify_certs) -> None:
         self.conf = {}
         self._session = None
         self._keystone = None
+        self.verify_certs = verify_certs
 
         # Loading credentials and configurations from environment variables
         # typically set in OpenStack
@@ -74,7 +75,7 @@ class OpenStackClient:
         except KeyError as e:
             print_with_timestamp(f"Configuration key missing: {e}")
             sys.exit(1)
-        return session.Session(auth=auth)
+        return session.Session(auth=auth, verify=self.verify_certs)
 
     @property
     def keystone(self):
@@ -187,9 +188,10 @@ class OpenStackClient:
 class CgtsClient(object):
     SYSINV_API_VERSION = 1
 
-    def __init__(self):
+    def __init__(self, verify_certs):
         self.conf = {}
         self._sysinv = None
+        self.insecure = False if verify_certs else True
 
         # Loading credentials and configurations from environment variables
         # typically set in OpenStack
@@ -222,7 +224,8 @@ class CgtsClient(object):
                 os_user_domain_name=self.conf['user_domain_name'],
                 os_region_name=self.conf['region_name'],
                 os_service_type='platform',
-                os_endpoint_type='admin')
+                os_endpoint_type='admin',
+                insecure=self.insecure)
         return self._sysinv
 
     def wait_until_config_updated(self, old_config, username):
@@ -260,7 +263,7 @@ def store_password_in_keyring(username, password):
 def main():
     """Main function to execute based on command-line input."""
     if len(sys.argv) < 3:
-        print_with_timestamp("Usage: update_keystone_passwords.py <sw_ver> <json_file>")
+        print_with_timestamp("Usage: update_keystone_passwords.py <sw_ver> <json_file> [optional: verify_cert False]")
         sys.exit(1)
 
     sw_ver = sys.argv[1]
@@ -272,8 +275,15 @@ def main():
     with open(json_file, 'r') as file:
         user_data = json.load(file)
 
-    osclient = OpenStackClient()
-    cgts_client = CgtsClient()
+    verify_certs = True
+    if len(sys.argv) > 3:
+        verify_value = sys.argv[3].lower()
+        if verify_value == 'false':
+            print_with_timestamp("Cert checks will be disabled.")
+            verify_certs = False
+
+    osclient = OpenStackClient(verify_certs)
+    cgts_client = CgtsClient(verify_certs)
     set_keyring_path(sw_ver)
     for user in user_data:
         config_applied = cgts_client.get_host_config_applied("controller-0")
diff --git a/playbookconfig/src/playbooks/roles/rehome-enroll-common/update-keystone-data/tasks/migrate_keystone_passwords.yml b/playbookconfig/src/playbooks/roles/rehome-enroll-common/update-keystone-data/tasks/migrate_keystone_passwords.yml
index 1e96d4f56..73e2466b9 100644
--- a/playbookconfig/src/playbooks/roles/rehome-enroll-common/update-keystone-data/tasks/migrate_keystone_passwords.yml
+++ b/playbookconfig/src/playbooks/roles/rehome-enroll-common/update-keystone-data/tasks/migrate_keystone_passwords.yml
@@ -44,6 +44,9 @@
     update_keystone_keyring_passwords.py
     {{ software_version }}
     {{ temp_keystone_pass_file.path }}
+    {% if mode is defined and mode == "enroll" %}
+    False
+    {% endif %}
   register: update_keystone_password_result
   failed_when: false