diff --git a/files/httpd/website_id_fp_o_zanata.conf b/files/httpd/website_id_fp_o_zanata.conf
index f2c9322b39..871be0e430 100644
--- a/files/httpd/website_id_fp_o_zanata.conf
+++ b/files/httpd/website_id_fp_o_zanata.conf
@@ -14,9 +14,9 @@ Listen 44342 https
 
   SSLEngine on
   SSLUseStapling on
-  SSLCertificateFile /etc/pki/tls/certs/wildcard-2017.fedoraproject.org.cert
-  SSLCertificateKeyFile /etc/pki/tls/private/wildcard-2017.fedoraproject.org.key
-  SSLCertificateChainFile /etc/pki/tls/certs/wildcard-2017.fedoraproject.org.intermediate.cert
+  SSLCertificateFile /etc/pki/tls/certs/wildcard-2020.fedoraproject.org.cert
+  SSLCertificateKeyFile /etc/pki/tls/private/wildcard-2020.fedoraproject.org.key
+  SSLCertificateChainFile /etc/pki/tls/certs/wildcard-2020.fedoraproject.org.intermediate.cert
 
   SSLHonorCipherOrder On
 
diff --git a/inventory/group_vars/all b/inventory/group_vars/all
index f862897cd9..ef0057e0f3 100644
--- a/inventory/group_vars/all
+++ b/inventory/group_vars/all
@@ -235,10 +235,10 @@ max_cpu: "{{ num_cpus * 5 }}"
 
 # This is the wildcard certname for our proxies.  It has a different name for
 # the staging group and is used in the proxies.yml playbook.
-wildcard_cert_name: wildcard-2017.fedoraproject.org
-wildcard_crt_file: wildcard-2017.fedoraproject.org.cert
-wildcard_key_file: wildcard-2017.fedoraproject.org.key
-wildcard_int_file: wildcard-2017.fedoraproject.org.intermediate.cert
+wildcard_cert_name: wildcard-2020.fedoraproject.org
+wildcard_crt_file: wildcard-2020.fedoraproject.org.cert
+wildcard_key_file: wildcard-2020.fedoraproject.org.key
+wildcard_int_file: wildcard-2020.fedoraproject.org.intermediate.cert
 
 # This is the openshift wildcard cert. Until it exists set it equal to wildcard
 os_wildcard_cert_name: wildcard-2017.app.os.fedoraproject.org
diff --git a/playbooks/include/proxies-certificates.yml b/playbooks/include/proxies-certificates.yml
index 12255708ac..4d494fedaf 100644
--- a/playbooks/include/proxies-certificates.yml
+++ b/playbooks/include/proxies-certificates.yml
@@ -16,8 +16,8 @@
   - role: httpd/mod_ssl
 
   - role: httpd/certificate
-    certname: wildcard-2017.fedoraproject.org
-    SSLCertificateChainFile: wildcard-2017.fedoraproject.org.intermediate.cert
+    certname: wildcard-2020.fedoraproject.org
+    SSLCertificateChainFile: wildcard-2020.fedoraproject.org.intermediate.cert
 
   # - role: httpd/certificate
   #   certname: wildcard-2017.fedorahosted.org
diff --git a/playbooks/include/proxies-websites.yml b/playbooks/include/proxies-websites.yml
index 0dee3e7079..9c8beb2677 100644
--- a/playbooks/include/proxies-websites.yml
+++ b/playbooks/include/proxies-websites.yml
@@ -903,7 +903,7 @@
   - role: httpd/website
     site_name: nagios.fedoraproject.org
     server_aliases: [nagios.stg.fedoraproject.org]
-    SSLCertificateChainFile: wildcard-2017.fedoraproject.org.intermediate.cert
+    SSLCertificateChainFile: wildcard-2020.fedoraproject.org.intermediate.cert
     sslonly: true
     cert_name: "{{wildcard_cert_name}}"
 
diff --git a/roles/download/tasks/main.yml b/roles/download/tasks/main.yml
index d9c61469b5..914f30be99 100644
--- a/roles/download/tasks/main.yml
+++ b/roles/download/tasks/main.yml
@@ -62,13 +62,13 @@
   - selinux
 
 - name: Copy wildcard cert from puppet private
-  copy: src="{{private}}/files/httpd/wildcard-2017.fedoraproject.org.cert" dest=/etc/pki/tls/certs/wildcard-2017.fedoraproject.org.cert owner=root group=root mode=0644
+  copy: src="{{private}}/files/httpd/wildcard-2020.fedoraproject.org.cert" dest=/etc/pki/tls/certs/wildcard-2020.fedoraproject.org.cert owner=root group=root mode=0644
 
 - name: Copy wildcard key from puppet private
-  copy: src="{{private}}/files/httpd/wildcard-2017.fedoraproject.org.key" dest=/etc/pki/tls/private/wildcard-2017.fedoraproject.org.key owner=root group=root mode=0600
+  copy: src="{{private}}/files/httpd/wildcard-2020.fedoraproject.org.key" dest=/etc/pki/tls/private/wildcard-2020.fedoraproject.org.key owner=root group=root mode=0600
 
 - name: Copy intermediate wildcard cert from puppet private
-  copy: src="{{private}}/files/httpd/wildcard-2017.fedoraproject.org.intermediate.cert" dest=/etc/pki/tls/certs/wildcard-2017.fedoraproject.org.intermediate.cert owner=root group=root mode=0644
+  copy: src="{{private}}/files/httpd/wildcard-2020.fedoraproject.org.intermediate.cert" dest=/etc/pki/tls/certs/wildcard-2020.fedoraproject.org.intermediate.cert owner=root group=root mode=0644
 
 - name: Configure httpd dl main conf
   template: src=httpd/dl.fedoraproject.org.conf dest=/etc/httpd/conf.d/dl.fedoraproject.org.conf
diff --git a/roles/fedmsg/gateway/slave/tasks/main.yml b/roles/fedmsg/gateway/slave/tasks/main.yml
index 7c77da1a52..d50260d844 100644
--- a/roles/fedmsg/gateway/slave/tasks/main.yml
+++ b/roles/fedmsg/gateway/slave/tasks/main.yml
@@ -98,8 +98,8 @@
 
 - name: put our combined cert in place
   copy: >
-    src={{private}}/files/httpd/wildcard-2017.fedoraproject.org.combined.cert
-    dest=/etc/pki/tls/certs/wildcard-2017.fedoraproject.org.combined.cert
+    src={{private}}/files/httpd/wildcard-2020.fedoraproject.org.combined.cert
+    dest=/etc/pki/tls/certs/wildcard-2020.fedoraproject.org.combined.cert
     owner=root group=root mode=0644
   notify: restart stunnel
   tags:
diff --git a/roles/fedmsg/gateway/slave/templates/stunnel-conf.j2 b/roles/fedmsg/gateway/slave/templates/stunnel-conf.j2
index 77d11c33e2..53f69497cc 100644
--- a/roles/fedmsg/gateway/slave/templates/stunnel-conf.j2
+++ b/roles/fedmsg/gateway/slave/templates/stunnel-conf.j2
@@ -1,5 +1,5 @@
-cert = /etc/pki/tls/certs/wildcard-2017.fedoraproject.org.combined.cert
-key = /etc/pki/tls/private/wildcard-2017.fedoraproject.org.key
+cert = /etc/pki/tls/certs/wildcard-2020.fedoraproject.org.combined.cert
+key = /etc/pki/tls/private/wildcard-2020.fedoraproject.org.key
 pid = /var/run/stunnel.pid
 
 [{{ stunnel_service }}]
diff --git a/roles/httpd/website/defaults/main.yml b/roles/httpd/website/defaults/main.yml
index 3fed4bdc4a..b7aa68040b 100644
--- a/roles/httpd/website/defaults/main.yml
+++ b/roles/httpd/website/defaults/main.yml
@@ -8,7 +8,7 @@ server_admin: webmaster@fedoraproject.org
 certbot: false
 ssl: true
 sslonly: false
-SSLCertificateChainFile: wildcard-2017.fedoraproject.org.intermediate.cert
+SSLCertificateChainFile: wildcard-2020.fedoraproject.org.intermediate.cert
 gzip: false
 stssubdomains: true
 # set to true to enable the proxy to redirect the http01 challenge
diff --git a/roles/kojipkgs/files/squid.conf b/roles/kojipkgs/files/squid.conf
index 3cf8f77b3a..b9c86c9568 100644
--- a/roles/kojipkgs/files/squid.conf
+++ b/roles/kojipkgs/files/squid.conf
@@ -1,5 +1,5 @@
 http_port 80 accel defaultsite=kojipkgs.fedoraproject.org
-https_port 443 accel defaultsite=kojipkgs.fedoraproject.org cert=/etc/pki/tls/certs/wildcard-2017.squid.cert key=/etc/pki/tls/private/wildcard-2017.fedoraproject.org.key cipher=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA options=NO_SSLv2,NO_SSLv3
+https_port 443 accel defaultsite=kojipkgs.fedoraproject.org cert=/etc/pki/tls/certs/wildcard-2020.fedoraproject.org.combined.cert key=/etc/pki/tls/private/wildcard-2020.fedoraproject.org.key cipher=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA options=NO_SSLv2,NO_SSLv3
 
 cache_peer 127.0.0.1 parent 8080 0 no-query originserver name=kojipkgs