diff --git a/playbooks/groups/koji-hub.yml b/playbooks/groups/koji-hub.yml
index 87ded5a8a8..fefa06451c 100644
--- a/playbooks/groups/koji-hub.yml
+++ b/playbooks/groups/koji-hub.yml
@@ -33,6 +33,9 @@
   - role: keytab/service
     service: kojira
     host: "koji{{env_suffix}}.fedoraproject.org"
+  - role: keytab/service
+    service: koji-gc
+    host: "koji{{env_suffix}}.fedoraproject.org"
   - koji_hub
   - role: keytab/service
     service: shadow
diff --git a/roles/koji_hub/tasks/main.yml b/roles/koji_hub/tasks/main.yml
index 0899a65f31..b3f861f92d 100644
--- a/roles/koji_hub/tasks/main.yml
+++ b/roles/koji_hub/tasks/main.yml
@@ -407,24 +407,6 @@
   - koji_hub
   when: env != 'staging' and ansible_hostname.startswith('koji')
 
-- name: install cert for oscar (garbage collector) user
-  copy: src={{ private }}/files/koji/gc/oscar_key_and_cert.pem dest=/etc/koji-gc/client.crt
-  tags:
-  - koji_hub
-  when: env != 'staging' and ansible_hostname.startswith('koji')
-
-- name: install serverca cert for oscar (garbage collector) user
-  copy: src={{ private }}/files/fedora-ca.cert dest=/etc/koji-gc/serverca.crt
-  tags:
-  - koji_hub
-  when: env != 'staging' and ansible_hostname.startswith('koji')
-
-- name: install clientca cert for oscar (garbage collector) user
-  copy: src={{ private }}/files/fedora-ca.cert dest=/etc/koji-gc/clientca.crt
-  tags:
-  - koji_hub
-  when: env != 'staging' and ansible_hostname.startswith('koji')
-
 - name: install koji-gc.conf
   template: src=koji-gc.conf.j2 dest=/etc/koji-gc/koji-gc.conf
   tags:
diff --git a/roles/koji_hub/templates/koji-gc.conf.j2 b/roles/koji_hub/templates/koji-gc.conf.j2
index 8136f32e2d..4289d08b34 100644
--- a/roles/koji_hub/templates/koji-gc.conf.j2
+++ b/roles/koji_hub/templates/koji-gc.conf.j2
@@ -2,6 +2,11 @@
 #earlier = higher precedence!
 
 [main]
+; For Kerberos authentication
+; the principal to connect with
+principal=koji-gc/koji{{env_suffix}}.fedoraproject.org@{{ipa_realm}}
+; The location of the keytab for the principal above
+keytab=/etc/krb5.koji-gc_koji{{env_suffix}}.fedoraproject.org.keytab
 krb_rdns = True
 
 key_aliases =
@@ -50,9 +55,9 @@ unprotected_keys =
     fedora-epel-6
     fedora-epel-7
 
-server = https://koji.fedoraproject.org/kojihub
+server = {{ koji_server_url }}
 serverca = /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
-weburl = http://koji.fedoraproject.org/koji
+weburl = {{ koji_web_url }}
 from_addr = Koji Build System <buildsys@fedoraproject.org>
 
 [prune]