diff --git a/assembly/assembly-wsmaster-war/src/main/webapp/WEB-INF/classes/che/che.properties b/assembly/assembly-wsmaster-war/src/main/webapp/WEB-INF/classes/che/che.properties
index 494ea4865cd..b09668503a4 100644
--- a/assembly/assembly-wsmaster-war/src/main/webapp/WEB-INF/classes/che/che.properties
+++ b/assembly/assembly-wsmaster-war/src/main/webapp/WEB-INF/classes/che/che.properties
@@ -188,18 +188,6 @@ che.oauth.openshift.verify_token_url= NULL
 # a recurring schedule.
 schedule.core_pool_size=10
 
-# Name of cofig map in Che server namespace with additional CA TLS certificates to be propogated into all user's workspaces.
-# If the property is set on OpenShift 4 infrastructure, then cluster CA bundle will be propogated too.
-che.trusted_ca.bundles_configmap=NULL
-
-# Name of configmap in a workspace namespace with additional CA TLS certificates.
-# Holds the copy of che.trusted_ca.bundles_configmap but in a workspace namespace.
-# Content of this config map is mounted into all workspace containers including plugin brokers.
-che.trusted_ca.workspace_bundle_configmap=ca-certs
-
-# Configures path on workspace containers where the CA bundles are mount.
-che.trusted_ca.bundle_mount_path=/public-certs
-
 # DB initialization and migration configuration
 db.schema.flyway.baseline.enabled=true
 db.schema.flyway.baseline.version=5.0.0.8.1
@@ -251,9 +239,6 @@ che.infra.kubernetes.ingress.domain=
 # the namespace specified by the che.infra.kubernetes.namespace.default will be created and used.
 che.infra.kubernetes.namespace=
 
-# Labels for config maps which holds trusted CA bundle in workspace namespace.
-che.infra.kubernetes.trusted_ca_bundles_config_map_labels=NULL
-
 # Indicates whether Che server is allowed to create namespaces/projects for user
 # workspaces, or they're intended to be created manually by cluster administrator.
 # This property is also used by the OpenShift infra.
@@ -491,6 +476,26 @@ che.infra.kubernetes.tls_cert=NULL
 # - Che Server communicates with Kubernetes API using token from OAuth provider;
 che.infra.kubernetes.runtimes_consistency_check_period_min=-1
 
+
+# Name of cofig map in Che server namespace with additional CA TLS certificates to be propagated into all user's workspaces.
+# If the property is set on OpenShift 4 infrastructure, and che.infra.openshift.trusted_ca.dest_configmap_labels includes
+# config.openshift.io/inject-trusted-cabundle=true label, then cluster CA bundle will be propagated too.
+che.infra.kubernetes.trusted_ca.src_configmap=NULL
+
+# Name of configmap in a workspace namespace with additional CA TLS certificates.
+# Holds the copy of che.infra.kubernetes.trusted_ca.src_configmap but in a workspace namespace.
+# Content of this config map is mounted into all workspace containers including plugin brokers.
+# Do not change the config map name unless it conflicts with the already existing config map.
+che.infra.kubernetes.trusted_ca.dest_configmap=ca-certs
+
+# Configures path on workspace containers where the CA bundle should be mount.
+# Content of config map specified by che.infra.kubernetes.trusted_ca.dest_configmap is mounted.
+che.infra.kubernetes.trusted_ca.mount_path=/public-certs
+
+# Comma separated list of labels to add to the CA certificates config map in user workspace.
+# See che.infra.kubernetes.trusted_ca.dest_configmap property.
+che.infra.kubernetes.trusted_ca.dest_configmap_labels=
+
 ### OpenShift Infra parameters
 
 # Since OpenShift infrastructure reuse Kubernetes infrastructure components
@@ -509,9 +514,10 @@ che.infra.kubernetes.runtimes_consistency_check_period_min=-1
 # the namespace specified by the che.infra.kubernetes.namespace.default will be created and used.
 che.infra.openshift.project=
 
-# Labels for config maps which holds trusted CA bundle in workspace namespace.
-# THis default value is used for automatic certificate injection in Openshift 4.
-che.infra.openshift.trusted_ca_bundles_config_map_labels=config.openshift.io/inject-trusted-cabundle=true
+# Comma separated list of labels to add to the CA certificates config map in user workspace.
+# See che.infra.kubernetes.trusted_ca.dest_configmap property.
+# This default value is used for automatic cluster CA bundle injection in Openshift 4.
+che.infra.openshift.trusted_ca.dest_configmap_labels=config.openshift.io/inject-trusted-cabundle=true
 
 # Additional labels to add into every Route created by Che server
 # to allow clear identification.
diff --git a/assembly/assembly-wsmaster-war/src/main/webapp/WEB-INF/classes/che_aliases.properties b/assembly/assembly-wsmaster-war/src/main/webapp/WEB-INF/classes/che_aliases.properties
index af2794cdf14..c585b041d02 100644
--- a/assembly/assembly-wsmaster-war/src/main/webapp/WEB-INF/classes/che_aliases.properties
+++ b/assembly/assembly-wsmaster-war/src/main/webapp/WEB-INF/classes/che_aliases.properties
@@ -38,6 +38,7 @@ che.limits.workspace.idle.timeout=che.workspace.agent.dev.inactive_stop_timeout_
 
 che.workspace.default_memory_limit_mb=che.workspace.default_memory_mb
 
-che.trusted_ca.bundles_configmap=che.trusted_ca_bundles_configmap
-che.trusted_ca.workspace_bundle_configmap=che.infra.openshift.trusted_ca_bundles_config_map
-che.trusted_ca.bundle_mount_path=che.infra.openshift.trusted_ca_bundles_mount_path
+che.infra.kubernetes.trusted_ca.src_configmap=che.trusted_ca_bundles_configmap
+che.infra.kubernetes.trusted_ca.dest_configmap=che.infra.openshift.trusted_ca_bundles_config_map
+che.infra.kubernetes.trusted_ca.mount_path=che.infra.openshift.trusted_ca_bundles_mount_path
+che.infra.openshift.trusted_ca.dest_configmap_labels=che.infra.openshift.trusted_ca_bundles_config_map_labels
diff --git a/infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/provision/KubernetesTrustedCAProvisioner.java b/infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/provision/KubernetesTrustedCAProvisioner.java
index 9364a0299a3..a187a0e173e 100644
--- a/infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/provision/KubernetesTrustedCAProvisioner.java
+++ b/infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/provision/KubernetesTrustedCAProvisioner.java
@@ -58,10 +58,10 @@ public class KubernetesTrustedCAProvisioner implements TrustedCAProvisioner {
 
   @Inject
   public KubernetesTrustedCAProvisioner(
-      @Nullable @Named("che.trusted_ca.bundles_configmap") String caBundleConfigMap,
-      @Named("che.trusted_ca.workspace_bundle_configmap") String configMapName,
-      @Named("che.trusted_ca.bundle_mount_path") String certificateMountPath,
-      @Nullable @Named("che.infra.kubernetes.trusted_ca_bundles_config_map_labels")
+      @Nullable @Named("che.infra.kubernetes.trusted_ca.src_configmap") String caBundleConfigMap,
+      @Named("che.infra.kubernetes.trusted_ca.dest_configmap") String configMapName,
+      @Named("che.infra.kubernetes.trusted_ca.mount_path") String certificateMountPath,
+      @Nullable @Named("che.infra.kubernetes.trusted_ca.dest_configmap_labels")
           String configMapLabel,
       CheInstallationLocation cheInstallationLocation,
       KubernetesNamespaceFactory namespaceFactory,
diff --git a/infrastructures/openshift/src/main/java/org/eclipse/che/workspace/infrastructure/openshift/provision/OpenshiftTrustedCAProvisioner.java b/infrastructures/openshift/src/main/java/org/eclipse/che/workspace/infrastructure/openshift/provision/OpenshiftTrustedCAProvisioner.java
index f769a1fa6b3..9148a8edace 100644
--- a/infrastructures/openshift/src/main/java/org/eclipse/che/workspace/infrastructure/openshift/provision/OpenshiftTrustedCAProvisioner.java
+++ b/infrastructures/openshift/src/main/java/org/eclipse/che/workspace/infrastructure/openshift/provision/OpenshiftTrustedCAProvisioner.java
@@ -23,9 +23,9 @@
 
 /**
  * This class overrides CA bundle config map labels (from
- * che.infra.openshift.trusted_ca_bundles_config_map_labels property) to be able to include
- * OpenShift 4+ specific label config.openshift.io/inject-trusted-cabundle=true that makes OpenShift
- * inject cluster CA bundle into resulting config map. For more details see
+ * che.infra.openshift.trusted_ca.dest_configmap_labels) to be able to include OpenShift 4+ specific
+ * label config.openshift.io/inject-trusted-cabundle=true that makes OpenShift inject cluster CA
+ * bundle into resulting config map. For more details see
  * https://docs.openshift.com/container-platform/4.3/networking/configuring-a-custom-pki.html#certificate-injection-using-operators_configuring-a-custom-pki
  */
 @Singleton
@@ -33,10 +33,10 @@ public class OpenshiftTrustedCAProvisioner extends KubernetesTrustedCAProvisione
 
   @Inject
   public OpenshiftTrustedCAProvisioner(
-      @Nullable @Named("che.trusted_ca.bundles_configmap") String caBundleConfigMap,
-      @Named("che.trusted_ca.workspace_bundle_configmap") String configMapName,
-      @Named("che.trusted_ca.bundle_mount_path") String certificateMountPath,
-      @Nullable @Named("che.infra.openshift.trusted_ca_bundles_config_map_labels")
+      @Nullable @Named("che.infra.kubernetes.trusted_ca.src_configmap") String caBundleConfigMap,
+      @Named("che.infra.kubernetes.trusted_ca.dest_configmap") String configMapName,
+      @Named("che.infra.kubernetes.trusted_ca.mount_path") String certificateMountPath,
+      @Nullable @Named("che.infra.openshift.trusted_ca.dest_configmap_labels")
           String configMapLabel,
       CheInstallationLocation cheInstallationLocation,
       OpenShiftProjectFactory projectFactory,