diff --git a/internal/common/testdata/exported_blueprint.json b/internal/common/testdata/exported_blueprint.json
index 2aa3ade18..22b9429f6 100644
--- a/internal/common/testdata/exported_blueprint.json
+++ b/internal/common/testdata/exported_blueprint.json
@@ -8,6 +8,12 @@
   ],
   "snapshot_date": "2012-12-20",
   "customizations": {
+    "aap_registration": {
+      "ansible_callback_url": "https://aap-gw.example.com/api/controller/v2/job_templates/42/callback/",
+      "host_config_key": "",
+      "skip_tls_verification": false,
+      "tls_certificate_authority": "-----BEGIN CERTIFICATE-----\nMIIC0DCCAbigAwIBAgIUI...\n-----END CERTIFICATE-----"
+    },
     "custom_repositories": [
       {
         "baseurl": [
diff --git a/internal/v1/api.go b/internal/v1/api.go
index 0bfc91783..35d313d68 100644
--- a/internal/v1/api.go
+++ b/internal/v1/api.go
@@ -514,8 +514,9 @@ type CustomRepository struct {
 
 // Customizations defines model for Customizations.
 type Customizations struct {
-	Cacerts    *CACertsCustomization `json:"cacerts,omitempty"`
-	Containers *[]Container          `json:"containers,omitempty"`
+	AAPRegistration *AAPRegistration      `json:"aap_registration,omitempty"`
+	Cacerts         *CACertsCustomization `json:"cacerts,omitempty"`
+	Containers      *[]Container          `json:"containers,omitempty"`
 
 	// CustomRepositories List of custom repositories.
 	CustomRepositories *[]CustomRepository `json:"custom_repositories,omitempty"`
@@ -794,8 +795,6 @@ type IgnitionFirstboot struct {
 
 // ImageRequest defines model for ImageRequest.
 type ImageRequest struct {
-	AAPRegistration *AAPRegistration `json:"aap_registration,omitempty"`
-
 	// Architecture CPU architecture of the image, x86_64 and aarch64 are currently supported.
 	Architecture ImageRequestArchitecture `json:"architecture"`
 
diff --git a/internal/v1/api.yaml b/internal/v1/api.yaml
index 6d61346d7..6f3576012 100644
--- a/internal/v1/api.yaml
+++ b/internal/v1/api.yaml
@@ -1258,8 +1258,6 @@ components:
           type: string
           description: |
             Name of the content template. Used when registering the system to Insights.
-        aap_registration:
-          $ref: '#/components/schemas/AAPRegistration'
     ImageTypes:
       type: string
       enum:
@@ -1783,6 +1781,8 @@ components:
           $ref: '#/components/schemas/Installer'
         cacerts:
           $ref: '#/components/schemas/CACertsCustomization'
+        aap_registration:
+          $ref: '#/components/schemas/AAPRegistration'
     Container:
       type: object
       required:
diff --git a/internal/v1/handler_blueprints.go b/internal/v1/handler_blueprints.go
index 1dabb3aec..4b0a087f3 100644
--- a/internal/v1/handler_blueprints.go
+++ b/internal/v1/handler_blueprints.go
@@ -87,6 +87,12 @@ func (bb *BlueprintBody) RedactCertificates() {
 	bb.Customizations.Cacerts = nil
 }
 
+func (bb *BlueprintBody) RedactAAPRegistration() {
+	if bb.Customizations.AAPRegistration != nil {
+		bb.Customizations.AAPRegistration.HostConfigKey = ""
+	}
+}
+
 // Merges Password or SshKey from other User struct to this User struct if it is not set
 func (u *User) MergeExisting(other User) {
 	if u.Password == nil {
@@ -179,6 +185,12 @@ func WithRedactedCertificates() BlueprintBodyOption {
 	}
 }
 
+func WithRedactedAAPRegistration() BlueprintBodyOption {
+	return func(bp *BlueprintBody) {
+		bp.RedactAAPRegistration()
+	}
+}
+
 func WithRedactedFiles(paths []string) BlueprintBodyOption {
 	return func(bp *BlueprintBody) {
 		if bp.Customizations.Files != nil {
@@ -369,9 +381,11 @@ func (h *Handlers) ExportBlueprint(ctx echo.Context, id openapi_types.UUID) erro
 		blueprintEntry,
 		WithRedactedPasswords(),
 		WithRedactedCertificates(),
+		WithRedactedAAPRegistration(),
 		WithRedactedFiles([]string{
 			"/etc/systemd/system/register-satellite.service",
 			"/usr/local/sbin/register-satellite",
+			"/usr/local/sbin/aap-first-boot-reg",
 		}),
 	)
 	if err != nil {
diff --git a/internal/v1/handler_blueprints_test.go b/internal/v1/handler_blueprints_test.go
index 6fa1fbb50..c02811edc 100644
--- a/internal/v1/handler_blueprints_test.go
+++ b/internal/v1/handler_blueprints_test.go
@@ -71,6 +71,12 @@ func TestHandlers_CreateBlueprint(t *testing.T) {
 				{"name": "user", "password": "test"},
 				{"name": "user2", "ssh_key": "ssh-rsa AAAAB3NzaC1"},
 			},
+			"aap_registration": map[string]interface{}{
+				"ansible_callback_url":      "https://aap-gw.example.com/api/controller/v2/job_templates/42/callback/",
+				"host_config_key":           "test-host-config-key-12345",
+				"tls_certificate_authority": "-----BEGIN CERTIFICATE-----\nMIIC0DCCAbigAwIBAgIUI...\n-----END CERTIFICATE-----",
+				"skip_tls_verification":     false,
+			},
 		},
 		"distribution": "centos-9",
 		"image_requests": []map[string]interface{}{
@@ -93,6 +99,15 @@ func TestHandlers_CreateBlueprint(t *testing.T) {
 	require.NoError(t, err)
 	require.Nil(t, be.Metadata)
 
+	blueprint, err := v1.BlueprintFromEntry(be)
+	require.NoError(t, err)
+	require.NotNil(t, blueprint.Customizations.AAPRegistration)
+	require.Equal(t, "https://aap-gw.example.com/api/controller/v2/job_templates/42/callback/", blueprint.Customizations.AAPRegistration.AnsibleCallbackUrl)
+	require.Equal(t, "test-host-config-key-12345", blueprint.Customizations.AAPRegistration.HostConfigKey)
+	require.Equal(t, "-----BEGIN CERTIFICATE-----\nMIIC0DCCAbigAwIBAgIUI...\n-----END CERTIFICATE-----", blueprint.Customizations.AAPRegistration.TlsCertificateAuthority)
+	require.NotNil(t, blueprint.Customizations.AAPRegistration.SkipTlsVerification)
+	require.False(t, *blueprint.Customizations.AAPRegistration.SkipTlsVerification)
+
 	// Test unique name constraint
 	statusCode, resp := tutils.PostResponseBody(t, srvURL+"/api/image-builder/v1/blueprints", body)
 	require.Equal(t, http.StatusUnprocessableEntity, statusCode)
@@ -877,14 +892,13 @@ func TestHandlers_BlueprintFromEntryRedactedForExport(t *testing.T) {
 		result, err := v1.BlueprintFromEntry(
 			be,
 			v1.WithRedactedPasswords(),
-			v1.WithRedactedCertificates(),
 			v1.WithRedactedFiles([]string{
 				"/etc/systemd/system/register-satellite.service",
 				"/usr/local/sbin/register-satellite",
 			}),
 		)
 		require.NoError(t, err)
-		require.Nil(t, result.Customizations.Cacerts)
+		require.NotNil(t, result.Customizations.Cacerts)
 		require.Nil(t, result.Customizations.Files)
 	})
 
@@ -916,7 +930,6 @@ func TestHandlers_BlueprintFromEntryRedactedForExport(t *testing.T) {
 		result, err := v1.BlueprintFromEntry(
 			be,
 			v1.WithRedactedPasswords(),
-			v1.WithRedactedCertificates(),
 			v1.WithRedactedFiles([]string{
 				"/etc/systemd/system/register-satellite.service",
 				"/usr/local/sbin/register-satellite",
@@ -1127,6 +1140,12 @@ func TestHandlers_ExportBlueprint(t *testing.T) {
 			Subscription: &v1.Subscription{
 				ActivationKey: "aaa",
 			},
+			AAPRegistration: &v1.AAPRegistration{
+				AnsibleCallbackUrl:      "https://aap-gw.example.com/api/controller/v2/job_templates/42/callback/",
+				HostConfigKey:           "test-host-config-key-12345",
+				TlsCertificateAuthority: "-----BEGIN CERTIFICATE-----\nMIIC0DCCAbigAwIBAgIUI...\n-----END CERTIFICATE-----",
+				SkipTlsVerification:     common.ToPtr(false),
+			},
 			Users: common.ToPtr([]v1.User{
 				{
 					Name:     "user",
@@ -1257,6 +1276,12 @@ func TestHandlers_ExportBlueprint(t *testing.T) {
 			Subscription: &v1.Subscription{
 				ActivationKey: "aaa",
 			},
+			AAPRegistration: &v1.AAPRegistration{
+				AnsibleCallbackUrl:      "https://aap-gw.example.com/api/controller/v2/job_templates/42/callback/",
+				HostConfigKey:           "test-host-config-key-12345",
+				TlsCertificateAuthority: "-----BEGIN CERTIFICATE-----\nMIIC0DCCAbigAwIBAgIUI...\n-----END CERTIFICATE-----",
+				SkipTlsVerification:     common.ToPtr(false),
+			},
 			Users: common.ToPtr([]v1.User{
 				{
 					Name:     "user",
diff --git a/internal/v1/handler_compose_image.go b/internal/v1/handler_compose_image.go
index 6c166afa9..3a3d312e5 100644
--- a/internal/v1/handler_compose_image.go
+++ b/internal/v1/handler_compose_image.go
@@ -1272,7 +1272,7 @@ func (h *Handlers) buildCustomizations(ctx echo.Context, cr *ComposeRequest, d *
 		}
 	}
 
-	if aap := cr.ImageRequests[0].AAPRegistration; aap != nil {
+	if aap := cust.AAPRegistration; aap != nil {
 		script, err := tmpl.RenderAAPRegistrationScript(ctx.Request().Context(), tmpl.AAPRegistrationParams{
 			HostConfigKey:       aap.HostConfigKey,
 			AnsibleCallbackUrl:  aap.AnsibleCallbackUrl,
diff --git a/internal/v1/handler_post_compose_test.go b/internal/v1/handler_post_compose_test.go
index cea57ee1a..21c60bb19 100644
--- a/internal/v1/handler_post_compose_test.go
+++ b/internal/v1/handler_post_compose_test.go
@@ -2955,8 +2955,14 @@ func TestComposeCustomizations(t *testing.T) {
 		// aap first boot registration
 		{
 			imageBuilderRequest: v1.ComposeRequest{
-				Customizations: &v1.Customizations{},
-				Distribution:   "rhel-8",
+				Customizations: &v1.Customizations{
+					AAPRegistration: &v1.AAPRegistration{
+						AnsibleCallbackUrl:      "http://some-url.org/api/controller/v2/job_templates/38/callback/",
+						HostConfigKey:           "some-key",
+						TlsCertificateAuthority: "---BEGIN CERTIFICATE---\nMIIC0DCCAbigAwIBAgIUI...\n---END CERTIFICATE---",
+					},
+				},
+				Distribution: "rhel-8",
 				ImageRequests: []v1.ImageRequest{
 					{
 						Architecture: "x86_64",
@@ -2965,11 +2971,6 @@ func TestComposeCustomizations(t *testing.T) {
 							Type:    v1.UploadTypesAwsS3,
 							Options: uo,
 						},
-						AAPRegistration: &v1.AAPRegistration{
-							AnsibleCallbackUrl:      "http://some-url.org/api/controller/v2/job_templates/38/callback/",
-							HostConfigKey:           "some-key",
-							TlsCertificateAuthority: "---BEGIN CERTIFICATE---\nMIIC0DCCAbigAwIBAgIUI...\n---END CERTIFICATE---",
-						},
 					},
 				},
 			},