diff --git a/centossecureboot201.cer b/centossecureboot201.cer
new file mode 100644
index 000000000..ca3c13440
Binary files /dev/null and b/centossecureboot201.cer differ
diff --git a/centossecurebootca2.cer b/centossecurebootca2.cer
new file mode 100644
index 000000000..42bdfcfbc
Binary files /dev/null and b/centossecurebootca2.cer differ
diff --git a/kernel.spec b/kernel.spec
index cf13b2d1a..6d57b41b7 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -446,15 +446,26 @@ Source9: x509.genkey
 %define signing_key_filename kernel-signing-s390.cer
 %endif
 
+%if 0%{?centos}
+Source10: centossecurebootca2.cer
+Source13: centossecureboot201.cer
+%define secureboot_ca_0  %{SOURCE10}
+%define secureboot_key_0 %{SOURCE13}
+%define pesign_name_0 centossecureboot201
+%else
 Source10: redhatsecurebootca3.cer
-Source11: redhatsecurebootca5.cer
+#UNUSED, delete file after confirming it works:
+#Source11: redhatsecurebootca5.cer
 Source13: redhatsecureboot501.cer
 Source14: redhatsecureboot302.cer
 Source15: redhatsecureboot303.cer
 Source16: redhatsecurebootca7.cer
 
 %define secureboot_ca_0 %{SOURCE10}
-%define secureboot_ca_1 %{SOURCE11}
+# TODO: secureboot_ca_2 is only for ppc64le on rhel -
+# why doesn't it just define secureboot_ca_0 differently
+# instead of using this separate _ca_2 variable?
+# This would simplify some really nasty "if" blocks
 %define secureboot_ca_2 %{SOURCE16}
 
 %ifarch x86_64 aarch64
@@ -471,6 +482,7 @@ Source16: redhatsecurebootca7.cer
 %define secureboot_key_0 %{SOURCE15}
 %define pesign_name_0 redhatsecureboot701
 %endif
+%endif
 
 Source17: mod-blacklist.sh
 Source18: mod-sign.sh
@@ -1158,6 +1170,7 @@ done
 %endif
 
 # Add DUP and kpatch certificates to system trusted keys for RHEL
+%if 0%{?rhel}
 %if %{signkernel}%{signmodules}
 openssl x509 -inform der -in %{SOURCE100} -out rheldup3.pem
 openssl x509 -inform der -in %{SOURCE101} -out rhelkpatch1.pem
@@ -1170,6 +1183,7 @@ for i in *.config; do
   sed -i 's@CONFIG_SYSTEM_TRUSTED_KEYS=""@CONFIG_SYSTEM_TRUSTED_KEYS="certs/rhel.pem"@' $i
 done
 %endif
+%endif
 
 cp %{SOURCE42} .
 ./process_configs.sh -w -c %{name} %{rpmversion} %{?cross_opts}
@@ -1740,8 +1754,12 @@ BuildKernel() {
 
     # Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel
     mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer
-    %ifarch ppc64le
-        install -m 0644 %{secureboot_ca_2} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
+    %if 0%{?rhel}
+        %ifarch ppc64le
+            install -m 0644 %{secureboot_ca_2} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
+        %else
+            install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
+        %endif
     %else
         install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
     %endif
@@ -2688,7 +2706,10 @@ fi
 #
 #
 %changelog
-* Fri Mar 17 2023 Denys Vlasenko <dvlasenk@redhat.com> [4.18.0-479.el8]
+* Sat Mar 18 2023 Denys Vlasenko <dvlasenk@redhat.com> [4.18.0-479.el8]
+- redhat: add centos signing certs (Denys Vlasenko)
+- redhat: fix "make rh-brew" not choosing _scratch_ build (Denys Vlasenko)
+- mfd: intel-lpss: Add Intel Meteor Lake-P PCI IDs (Prarit Bhargava) [2156843]
 - x86/cpu: Add CPU model numbers for Meteor Lake (Prarit Bhargava) [2153936]
 - redhat: require grub2 >= 2.02-99 (Denys Vlasenko) [2179095]
 - redhat: delete unused script and file (Denys Vlasenko) [2179095]
diff --git a/sources b/sources
index f3de3c1b7..ed433d1aa 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
-SHA512 (linux-4.18.0-479.el8.tar.xz) = 869dedc389501dc314ff6a50c3550956e29bbb205b4db33c0c19f9fdc044aaaf2f9e71a8cec30de32487ff55a37f9de2cd188b44d53f19ec1f9fbae15864ded2
-SHA512 (kernel-abi-stablelists-4.18.0-479.tar.bz2) = dba639a523d927e581d1df43b0b94024a42692f2be79a5e827b3ab971395ac25e7738eba848dc537baec3b7eabdec707ab3fbed9e01e262ecb47bcf544fa4f66
-SHA512 (kernel-kabi-dw-4.18.0-479.tar.bz2) = e91527cddef81a7b0e90403b890ca444975ff0f59aae5b99e93ffc187b3e8031e4e09cacaed4d667d25eaa149919b08580f9132e5684229f15d03e21b988439a
+SHA512 (linux-4.18.0-479.el8.tar.xz) = 3f1cd8c8c2b2a48bf7509fbf137f66e0685e5e911b8775b4588f77aaa825a456fbbf568e261c3802a193fee70b2f063cce384ceb6ba54d051960c44d3570631b
+SHA512 (kernel-abi-stablelists-4.18.0-479.tar.bz2) = 6696893e336830ea1c7108e69f72704dc884507a355f87a545e03ac0ad6046490f264d7a1c1ab159fad2b4714f04b81817a1794064c52cca2265aadfb381b729
+SHA512 (kernel-kabi-dw-4.18.0-479.tar.bz2) = e4acc8a0d2babc3874870a8ff95917dc5741b897f32a9e4b6475430d5da3c1a8f75b194961d1c3054ae9a0dff7751e5f25ea4c6228d69a0ae604f5283cfd9ca6