diff --git a/cert-manager/.gitignore b/cert-manager/.gitignore
index a8a1b25..8809eb4 100644
--- a/cert-manager/.gitignore
+++ b/cert-manager/.gitignore
@@ -1,2 +1,3 @@
+cert-exporter.pem
 cert-manager.key
 zerossl.secret
diff --git a/cert-manager/cert-exporter.yaml b/cert-manager/cert-exporter.yaml
new file mode 100644
index 0000000..cbc5782
--- /dev/null
+++ b/cert-manager/cert-exporter.yaml
@@ -0,0 +1,94 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: cert-exporter
+  namespace: cert-manager
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: cert-exporter
+  namespace: cert-manager
+data:
+  config.yml: |
+    git_repo: gitea@git.pyrocufflink.blue:dustin/certs.git
+    certs:
+    - name: pyrocufflink-cert
+      namespace: default
+      key: certificates/_.pyrocufflink.net.key
+      cert: certificates/_.pyrocufflink.net.crt
+      bundle: certificates/_.pyrocufflink.net.pem
+  known-hosts-command.ssh_config: |
+    KnownHostsCommand /usr/bin/curl -fsL https://files.pyrocufflink.blue/ssh_known_hosts
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: cert-exporter
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - secrets
+  verbs:
+  - get
+  resourceNames:
+  - pyrocufflink-cert
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: cert-exporter
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: cert-exporter
+subjects:
+- kind: ServiceAccount
+  name: cert-exporter
+  namespace: cert-manager
+
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: cert-exporter
+  namespace: cert-manager
+spec:
+  timeZone: America/Chicago
+  schedule: '27 20 * * *'
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+          - image: git.pyrocufflink.net/containerimages/cert-exporter
+            name: cert-exporter
+            volumeMounts:
+            - mountPath: /etc/cert-exporter/config.yml
+              name: config
+              subPath: config.yml
+              readOnly: true
+            - mountPath: /home/cert-exporter/.ssh/id_ed25519
+              name: sshkeys
+              subPath: cert-exporter.pem
+              readOnly: true
+            - mountPath: /etc/ssh/ssh_config.d/known-hosts-command.conf
+              name: config
+              subPath: known-hosts-command.ssh_config
+              readOnly: true
+          securityContext:
+            fsGroup: 1000
+          serviceAccount: cert-exporter
+          volumes:
+          - name: config
+            configMap:
+              name: cert-exporter
+          - name: sshkeys
+            secret:
+              secretName: cert-exporter-sshkey
+              defaultMode: 00440
+          restartPolicy: Never
diff --git a/cert-manager/kustomization.yaml b/cert-manager/kustomization.yaml
index 7b1695d..3e3c72b 100644
--- a/cert-manager/kustomization.yaml
+++ b/cert-manager/kustomization.yaml
@@ -5,6 +5,7 @@ resources:
 - cert-manager.yaml
 - cluster-issuer.yaml
 - certificates.yaml
+- cert-exporter.yaml
 
 secretGenerator:
 - name: cert-manager-tsig
@@ -20,3 +21,10 @@ secretGenerator:
   - zerossl.secret
   options:
     disableNameSuffixHash: true
+
+- name: cert-exporter-sshkey
+  namespace: cert-manager
+  files:
+  - cert-exporter.pem
+  options:
+    disableNameSuffixHash: true