diff --git a/hooks/blueprint b/hooks/blueprint
index dddbe793..47bb94ed 100755
--- a/hooks/blueprint
+++ b/hooks/blueprint
@@ -113,6 +113,8 @@ dynamic::isolation::segments() {
       '.isolation_segments[] | select( .name == $v ) | .additional_trusted_certs//[] | length > 0' <<<"$1" &>/dev/null
     then
       additional_trusted_certs="$(dynamic::isolation::template::render "additional-trusted-certs" "$group")"
+      want_feature cflinuxfs3 &&
+        additional_trusted_certs+=" $(dynamic::isolation::template::render "additional-trusted-certs-cflinuxfs3" "$group")"
       want_feature ocfp &&
         additional_trusted_certs+=" $(dynamic::isolation::template::render "ocfp-trusted-certs" "$group")"
     fi
@@ -725,9 +727,10 @@ features::process() {
         ;;
       (trust-blacksmith-ca)
         manifests+=( "overlay/addons/trust-blacksmith-ca.yml" )
-        if want_feature ocfp
-        then manifests+=( "ocfp/trust-blacksmith-ca.yml" )
-        fi
+        want_feature cflinuxfs3 && \
+          manifests+=( "overlay/addons/trust-blacksmith-ca-cflinuxfs3.yml" )
+        want_feature ocfp && \
+          manifests+=( "ocfp/trust-blacksmith-ca.yml" )
         ;;
       (app-autoscaler-integration)
         manifests+=( "overlay/addons/autoscaler.yml" )
diff --git a/operations/use-cflinuxfs3.yml b/operations/use-cflinuxfs3.yml
index 5e52e190..4c7e7b1c 100644
--- a/operations/use-cflinuxfs3.yml
+++ b/operations/use-cflinuxfs3.yml
@@ -83,7 +83,7 @@
   path: /instance_groups/name=scheduler/jobs/name=cc_deployment_updater/properties/cc/diego/lifecycle_bundles/buildpack~1cflinuxfs3?
   value: buildpack_app_lifecycle/buildpack_app_lifecycle.tgz
 - type: replace
-  path: /instance_groups/name=diego-cell/jobs/name=cflinuxfs3-rootfs-setup?
+  path: /instance_groups/name=diego-cell/jobs/name=cflinuxfs4-rootfs-setup:before
   value:
     name: cflinuxfs3-rootfs-setup
     properties:
diff --git a/overlay/addons/trust-blacksmith-ca-cflinuxfs3.yml b/overlay/addons/trust-blacksmith-ca-cflinuxfs3.yml
new file mode 100644
index 00000000..c87c6d06
--- /dev/null
+++ b/overlay/addons/trust-blacksmith-ca-cflinuxfs3.yml
@@ -0,0 +1,4 @@
+---
+- type: replace
+  path: /instance_groups/name=diego-cell/jobs/name=cflinuxfs3-rootfs-setup/properties/cflinuxfs3-rootfs/trusted_certs/-
+  value: (( vault $GENESIS_EXODUS_MOUNT genesis.env "/blacksmith:blacksmith_ca" ))
diff --git a/overlay/addons/trust-blacksmith-ca.yml b/overlay/addons/trust-blacksmith-ca.yml
index ac410100..cd87118c 100644
--- a/overlay/addons/trust-blacksmith-ca.yml
+++ b/overlay/addons/trust-blacksmith-ca.yml
@@ -1,6 +1,6 @@
 ---
 - type: replace
-  path: /instance_groups/name=diego-cell/jobs/name=cflinuxfs3-rootfs-setup/properties/cflinuxfs3-rootfs/trusted_certs/-
+  path: /instance_groups/name=diego-cell/jobs/name=cflinuxfs4-rootfs-setup/properties/cflinuxfs4-rootfs/trusted_certs/-
   value: (( vault $GENESIS_EXODUS_MOUNT genesis.env "/blacksmith:blacksmith_ca" ))
 - type: replace
   path: /instance_groups/name=diego-cell/jobs/name=rep/properties/containers/trusted_ca_certificates/-
diff --git a/overlay/dynamic-templates/isolation-segment-additional-trusted-certs-cflinuxfs3.yml b/overlay/dynamic-templates/isolation-segment-additional-trusted-certs-cflinuxfs3.yml
new file mode 100644
index 00000000..2c049cb4
--- /dev/null
+++ b/overlay/dynamic-templates/isolation-segment-additional-trusted-certs-cflinuxfs3.yml
@@ -0,0 +1,8 @@
+---
+instance_groups:
+- name: (( grab meta.name ))
+  jobs:
+  - name: cflinuxfs3-rootfs-setup
+    properties:
+      cflinuxfs3-rootfs:
+        trusted_certs: (( defer grab params.isolation_segments.{{segment-name}}.base_trusted_certs params.isolation_segments.{{segment-name}}.additional_trusted_certs ))
diff --git a/overlay/dynamic-templates/isolation-segment-additional-trusted-certs.yml b/overlay/dynamic-templates/isolation-segment-additional-trusted-certs.yml
index e619a7a4..18647670 100644
--- a/overlay/dynamic-templates/isolation-segment-additional-trusted-certs.yml
+++ b/overlay/dynamic-templates/isolation-segment-additional-trusted-certs.yml
@@ -11,9 +11,9 @@ params:
 instance_groups:
 - name: (( grab meta.name ))
   jobs:
-  - name: cflinuxfs3-rootfs-setup
+  - name: cflinuxfs4-rootfs-setup
     properties:
-      cflinuxfs3-rootfs:
+      cflinuxfs4-rootfs:
         trusted_certs: (( defer grab params.isolation_segments.{{segment-name}}.base_trusted_certs params.isolation_segments.{{segment-name}}.additional_trusted_certs ))
   - name: rep
     properties:
diff --git a/overlay/dynamic-templates/isolation-segment-cflinuxfs3.yml b/overlay/dynamic-templates/isolation-segment-cflinuxfs3.yml
index a77f6a3f..ee23608d 100644
--- a/overlay/dynamic-templates/isolation-segment-cflinuxfs3.yml
+++ b/overlay/dynamic-templates/isolation-segment-cflinuxfs3.yml
@@ -17,14 +17,7 @@ meta:
 instance_groups:
 - name: (( grab meta.name ))
   jobs:
-  - name: cflinuxfs3-rootfs-setup
-    release: cflinuxfs3
-    properties:
-      cflinuxfs3-rootfs:
-        trusted_certs:
-        - ((diego_instance_identity_ca.ca))
-        - ((credhub_tls.ca))
-        - ((uaa_ssl.ca))
+  - (( merge on name ))
   - name: rep
     release: diego
     properties:
@@ -33,3 +26,12 @@ instance_groups:
           preloaded_rootfses:
           - (( prepend ))
           - cflinuxfs3:/var/vcap/packages/cflinuxfs3/rootfs.tar
+  - (( insert before "cflinuxfs4-rootfs-setup" ))
+  - name: cflinuxfs3-rootfs-setup
+    release: cflinuxfs3
+    properties:
+      cflinuxfs3-rootfs:
+        trusted_certs:
+        - ((diego_instance_identity_ca.ca))
+        - ((credhub_tls.ca))
+        - ((uaa_ssl.ca))