diff --git a/nexus/db-queries/src/authz/omicron.polar b/nexus/db-queries/src/authz/omicron.polar
index 17aa05c6dd..a4c98c0de3 100644
--- a/nexus/db-queries/src/authz/omicron.polar
+++ b/nexus/db-queries/src/authz/omicron.polar
@@ -205,23 +205,14 @@ has_relation(silo: Silo, "parent_silo", project: Project)
 #
 
 resource Certificate {
-	permissions = [
-	    "read",
-	    "modify",
-	    "create_child",
-	    "list_children",
-	];
+	permissions = [ "read", "modify" ];
 	relations = { parent_silo: Silo, parent_fleet: Fleet };
 
 	# Fleet-level and silo-level roles both grant privileges on certificates.
 	"read" if "admin" on "parent_silo";
 	"modify" if "admin" on "parent_silo";
-	"create_child" if "admin" on "parent_silo";
-	"list_children" if "admin" on "parent_silo";
 	"read" if "admin" on "parent_fleet";
 	"modify" if "admin" on "parent_fleet";
-	"create_child" if "admin" on "parent_fleet";
-	"list_children" if "admin" on "parent_fleet";
 }
 has_relation(silo: Silo, "parent_silo", certificate: Certificate)
 	if certificate.silo = silo;
@@ -420,7 +411,6 @@ resource SiloCertificateList {
 	# Both Fleet and Silo administrators can see and modify the Silo's
 	# certificates.
 	"list_children" if "admin" on "parent_silo";
-	"list_children" if "admin" on "parent_silo";
 	"list_children" if "admin" on "parent_fleet";
 	"create_child" if "admin" on "parent_silo";
 	"create_child" if "admin" on "parent_fleet";
diff --git a/nexus/db-queries/src/db/datastore/rack.rs b/nexus/db-queries/src/db/datastore/rack.rs
index 3a3442736e..1675549c21 100644
--- a/nexus/db-queries/src/db/datastore/rack.rs
+++ b/nexus/db-queries/src/db/datastore/rack.rs
@@ -330,8 +330,6 @@ impl DataStore {
                     use db::schema::certificate::dsl;
                     diesel::insert_into(dsl::certificate)
                         .values(certificates)
-                        .on_conflict(dsl::id)
-                        .do_nothing()
                         .execute_async(&conn)
                         .await?;
                 }