diff --git a/share/gitea-tekton-org/v1_ConfigMap_auto-cd-templates.yaml b/share/gitea-tekton-org/v1_ConfigMap_auto-cd-templates.yaml
index 6e672dd..4493570 100644
--- a/share/gitea-tekton-org/v1_ConfigMap_auto-cd-templates.yaml
+++ b/share/gitea-tekton-org/v1_ConfigMap_auto-cd-templates.yaml
@@ -618,6 +618,9 @@ data:
       provider: generic
       secretRef:
         name: gitea-docker
+      certSecretRef:
+        name: ssh-credentials-flux
+
   base-cert.yaml.tmpl: |-
     ---
     apiVersion: cert-manager.io/v1
diff --git a/share/organisation/gitea-user.tf b/share/organisation/gitea-user.tf
index 02a1d6f..732c358 100644
--- a/share/organisation/gitea-user.tf
+++ b/share/organisation/gitea-user.tf
@@ -7,6 +7,13 @@ locals {
   ci-user-password = random_password.password.result
 }
 
+data "kubernetes_secret_v1" "gitea-cert" {
+  metadata {
+    name = "gitea-cert"
+    namespace = "${var.domain}-ci"
+  }
+}
+
 data "kubernetes_secret_v1" "gitea" {
   metadata {
     name = "gitea-admin-user"
diff --git a/share/organisation/stages.tf b/share/organisation/stages.tf
index 48cd751..f4376bd 100644
--- a/share/organisation/stages.tf
+++ b/share/organisation/stages.tf
@@ -71,6 +71,7 @@ resource "kubernetes_secret_v1" "ci-git-secret" {
     namespace = "${local.sorted-stages[count.index].namespace}"
   }
   data = {
+    "ca.crt" = lookup(data.kubernetes_secret_v1.gitea-cert.data, "ca.crt", lookup(data.kubernetes_secret_v1.gitea-cert.data, "tls.crt", ""))
     "identity" = data.kubernetes_secret_v1.ssh-creds-read[count.index].data["ssh-privatekey"]
     "known_hosts" = data.local_file.known_host[0].content
   }