diff --git a/CHANGELOG.md b/CHANGELOG.md
index 352744e7..c3cd645a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,10 @@
 All notable changes to the Zlux Server Framework package will be documented in this file.
 This repo is part of the app-server Zowe Component, and the change logs here may appear on Zowe.org in that section.
 
+## 2.9.0
+
+- Enhancement: zowe.certificates.pem is no longer needed when using keyrings (#448)
+
 ## 2.8.0
 
 - Enhancement: Support zowe.verifyCertificates=NONSTRICT (#468)
diff --git a/lib/webserver.js b/lib/webserver.js
index e961b719..669cd762 100644
--- a/lib/webserver.js
+++ b/lib/webserver.js
@@ -69,7 +69,10 @@ function parseSafKeyringAddress(safEntry) {
     const userId = safEntry.substring(0,endUserIndex);
     const endNameIndex = safEntry.indexOf('&',endUserIndex+1);
     if (endNameIndex == -1 || endNameIndex == safEntry.length-1) {
-      return null;
+      return {
+        userId,
+        keyringName: safEntry.substring(endUserIndex+1,endNameIndex)
+      }
     } else {
       return {
         userId,
@@ -275,31 +278,37 @@ WebServer.prototype = {
         }
       } 
       config.https.ipAddresses = uniqueIps;
-      if(keyring_js && process.env.KEYSTORE_TYPE == 'JCERACFKS') {
-        const keyringOwner = process.env.KEYRING_OWNER;
-        const keyringName = process.env.KEYRING_NAME;
-        let certificateList;
-        if (!config.https.certificateAuthorities) {
-          config.https.certificateAuthorities = [];
-        }
-        if(keyringOwner && keyringName) {
-          try {
-            certificateList = keyring_js.listKeyring(keyringOwner, keyringName);
-          } catch(e) {
-            bootstrapLogger.warn('ZWED0179W', keyringName, keyringOwner, e);
-          }
-        }
-        if(certificateList) {
-          for(let i = 0; i < certificateList.length; i++) {
-            if(certificateList[i].usage === 'CERTAUTH') {
-              let safKeyring = `safkeyring:////${keyringOwner}/${keyringName}&${certificateList[i].label}`;
-              if(config.https.certificateAuthorities.indexOf(safKeyring) === -1) {
-                config.https.certificateAuthorities.push(safKeyring);
+      let newEntries = [];
+      if(keyring_js && config.https.certificateAuthorities) { 
+        for (let j = 0; j < config.https.certificateAuthorities.length; j++) {
+          const entry = config.https.certificateAuthorities[j];
+          if (!entry.startsWith('safkeyring://')) {
+            //keep
+            newEntries.push(entry);
+          } else {
+            const {owner, ringName, label} = parseSafKeyringAddress(entry);
+            let certificateList;
+            if(owner && ringName) {
+              try {
+                certificateList = keyring_js.listKeyring(owner, ringName);
+              } catch(e) {
+                bootstrapLogger.warn('ZWED0179W', ringName, owner, e);
+              }
+            }
+            if(certificateList) {
+              for(let i = 0; i < certificateList.length; i++) {
+                if(certificateList[i].usage === 'CERTAUTH') {
+                  let safKeyring = `${entry}&${certificateList[i].label}`;
+                  if(config.https.certificateAuthorities.indexOf(safKeyring) === -1) {
+                    newEntries.push(safKeyring);
+                  }
+                }
               }
             }
           }
         }
       }
+      config.https.certificateAuthorities = newEntries;
     }
     return canRun;
   }),