diff --git a/dch-root-ca/dch-root-ca.crt b/dch-root-ca/dch-root-ca.crt
new file mode 100644
index 0000000..6705c7a
--- /dev/null
+++ b/dch-root-ca/dch-root-ca.crt
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBxDCCAWqgAwIBAgIUbHz2tssa09zsHk+EdGD3QKprMKQwCgYIKoZIzj0EAwQw
+QDELMAkGA1UEBhMCVVMxGDAWBgNVBAoMD0R1c3RpbiBDLiBIYXRjaDEXMBUGA1UE
+AwwORENIIFJvb3QgQ0EgUjIwHhcNMjMwOTI0MjA1MzA5WhcNNDMwOTE5MjA1MzA5
+WjBAMQswCQYDVQQGEwJVUzEYMBYGA1UECgwPRHVzdGluIEMuIEhhdGNoMRcwFQYD
+VQQDDA5EQ0ggUm9vdCBDQSBSMjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABE2D
+NJHRcjuA19ZoprBKaxIfUxAbz6LigM7dgtO6+isaMlxRAVJmsITADIE/22RrUDgD
+Ofkt2iZTUjMrz3AxXhWjQjBAMB0GA1UdDgQWBBTM+d8kb1koGmKRtJs4gN9zYa+6
+oTASBgNVHRMBAf8ECDAGAQH/AgEBMAsGA1UdDwQEAwIBBjAKBggqhkjOPQQDBANI
+ADBFAiEA2Ka8mMiAFLmrFWt0dAml247re2+i4UPhyHcOBfNK+goCIHv+vEw7CHZQ
+irIa697nfe4KiXIMwHlAMS1+1QZohFDC
+-----END CERTIFICATE-----
diff --git a/dch-root-ca/kustomization.yaml b/dch-root-ca/kustomization.yaml
new file mode 100644
index 0000000..605d726
--- /dev/null
+++ b/dch-root-ca/kustomization.yaml
@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+configMapGenerator:
+- name: dch-root-ca
+  files:
+  - dch-root-ca.crt
diff --git a/dch-webhooks/.gitignore b/dch-webhooks/.gitignore
index 4fdc34d..b5f830b 100644
--- a/dch-webhooks/.gitignore
+++ b/dch-webhooks/.gitignore
@@ -1,2 +1,3 @@
 paperless.token
 firefly.token
+provisioner.password
diff --git a/dch-webhooks/dch-webhooks.env b/dch-webhooks/dch-webhooks.env
new file mode 100644
index 0000000..fb06c57
--- /dev/null
+++ b/dch-webhooks/dch-webhooks.env
@@ -0,0 +1,9 @@
+FIREFLY_URL=http://firefly-iii.firefly-iii.svc.cluster.local:8080
+FIREFLY_AUTH_TOKEN=/run/secrets/du5t1n.me/firefly/firefly.token
+PAPERLESS_URL=http://paperless-ngx.paperless-ngx.svc.cluster.local:8000
+PAPERLESS_AUTH_TOKEN=/run/secrets/du5t1n.me/paperless/paperless.token
+
+STEP_CA_URL=https://ca.pyrocufflink.blue:32599
+STEP_ROOT=/run/dch-root-ca.crt
+STEP_PROVISIONER=host-bootstrap
+STEP_PROVISIONER_PASSWORD_FILE=/run/secrets/du5t1n.me/step-ca/provisioner.password
diff --git a/dch-webhooks/dch-webhooks.yaml b/dch-webhooks/dch-webhooks.yaml
index 0041f29..5a6f909 100644
--- a/dch-webhooks/dch-webhooks.yaml
+++ b/dch-webhooks/dch-webhooks.yaml
@@ -44,18 +44,13 @@ spec:
       - name: dch-webhooks
         image: git.pyrocufflink.net/containerimages/dch-webhooks
         env:
-        - name: FIREFLY_URL
-          value: http://firefly-iii.firefly-iii.svc.cluster.local:8080
-        - name: FIREFLY_AUTH_TOKEN
-          value: /run/secrets/du5t1n.me/firefly/firefly.token
-        - name: PAPERLESS_URL
-          value: http://paperless-ngx.paperless-ngx.svc.cluster.local:8000
-        - name: PAPERLESS_AUTH_TOKEN
-          value: /run/secrets/du5t1n.me/paperless/paperless.token
         - name: UVICORN_HOST
           value: 0.0.0.0
         - name: UVICORN_LOG_LEVEL
           value: debug
+        envFrom:
+        - configMapRef:
+            name: dch-webhooks
         ports:
         - name: http
           containerPort: 8000
@@ -74,10 +69,18 @@ spec:
         securityContext:
           readOnlyRootFilesystem: true
         volumeMounts:
+        - mountPath: /run/dch-root-ca.crt
+          name: root-ca
+          subPath: dch-root-ca.crt
         - mountPath: /run/secrets/du5t1n.me/firefly
           name: firefly-token
         - mountPath: /run/secrets/du5t1n.me/paperless
           name: paperless-token
+        - mountPath: /run/secrets/du5t1n.me/step-ca
+          name: step-ca-password
+        - mountPath: /tmp
+          name: tmp
+          subPath: tmp
       securityContext:
         runAsNonRoot: true
       volumes:
@@ -89,3 +92,13 @@ spec:
         secret:
           secretName: paperless-token
           optional: true
+      - name: root-ca
+        configMap:
+          name: dch-root-ca
+      - name: step-ca-password
+        secret:
+          secretName: step-ca-password
+          optional: true
+      - name: tmp
+        emptyDir:
+          medium: Memory
diff --git a/dch-webhooks/ingress.yaml b/dch-webhooks/ingress.yaml
new file mode 100644
index 0000000..e14109b
--- /dev/null
+++ b/dch-webhooks/ingress.yaml
@@ -0,0 +1,27 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  labels:
+    app.kubernetes.io/name: dch-webhooks
+    app.kubernetes.io/component: dch-webhooks
+    app.kubernetes.io/instance: dch-webhooks
+    app.kubernetes.io/part-of: dch-webhooks
+  name: dch-webhooks
+spec:
+  ingressClassName: nginx
+  tls:
+  - hosts:
+    - webhooks.pyrocufflink.blue
+  rules:
+  - host: webhooks.pyrocufflink.blue
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: dch-webhooks
+            port:
+              name: http
+
diff --git a/dch-webhooks/kustomization.yaml b/dch-webhooks/kustomization.yaml
index a6765ba..d3a395e 100644
--- a/dch-webhooks/kustomization.yaml
+++ b/dch-webhooks/kustomization.yaml
@@ -2,7 +2,14 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
 resources:
+- ../dch-root-ca
 - dch-webhooks.yaml
+- ingress.yaml
+
+configMapGenerator:
+- name: dch-webhooks
+  envs:
+  - dch-webhooks.env
 
 secretGenerator:
 - name: firefly-token
@@ -12,3 +19,7 @@ secretGenerator:
 - name: paperless-token
   files:
   - paperless.token
+
+- name: step-ca-password
+  files:
+  - provisioner.password