diff --git a/roles/openshift-apps/firmitas/tasks/create-cronjob.yml b/roles/openshift-apps/firmitas/tasks/create-cronjob.yml
new file mode 100644
index 0000000000..1b45a445ea
--- /dev/null
+++ b/roles/openshift-apps/firmitas/tasks/create-cronjob.yml
@@ -0,0 +1,15 @@
+---
+# generate the templates for project to be created
+- name: create the cronjob template
+  template:
+    src: "cronjob.yml"
+    dest: "/root/ocp4/openshift-apps/firmitas/cronjob.yml"
+    mode: 0770
+
+# apply created openshift resources
+- name: oc apply resources
+  command: "/root/bin/oc apply -f /root/ocp4/openshift-apps/firmitas/cronjob.yml"
+  retries: 3
+  delay: 5
+  register: cronjob_result
+  until: cronjob_result.rc == 0
diff --git a/roles/openshift-apps/firmitas/tasks/main.yml b/roles/openshift-apps/firmitas/tasks/main.yml
index ad9ad02192..35a4c8771f 100644
--- a/roles/openshift-apps/firmitas/tasks/main.yml
+++ b/roles/openshift-apps/firmitas/tasks/main.yml
@@ -10,4 +10,5 @@
 - include_tasks: create-persistent-volume-claim.yml
 - include_tasks: create-imagestream.yml
 - include_tasks: create-buildconfig.yml
+- include_tasks: create-cronjob.yml
 - include_tasks: create-deployment.yml
diff --git a/roles/openshift-apps/firmitas/templates/cronjob.yml b/roles/openshift-apps/firmitas/templates/cronjob.yml
new file mode 100644
index 0000000000..b42ff00041
--- /dev/null
+++ b/roles/openshift-apps/firmitas/templates/cronjob.yml
@@ -0,0 +1,33 @@
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: "{{firmitas_application_name}}"
+  namespace: "{{firmitas_namespace}}"
+spec:
+  schedule: "*/1 * * * *"
+  timeZone: Etc/UTC
+  concurrencyPolicy: "Replace"
+  startingDeadlineSeconds: 200
+  suspend: true
+  successfulJobsHistoryLimit: 3
+  failedJobsHistoryLimit: 1
+  jobTemplate:
+    spec:
+      template:
+        metadata:
+          labels:
+            parent: "cronjob-certdownloader"
+        spec:
+          containers:
+          - image: "{{ firmitas_image }}"
+            name: "{{ firmitas_application_name }}"
+            command: ["sh", "download_certificates.sh"]
+          restartPolicy: OnFailure
+          volumeMounts:
+            - name: "{{ firmitas_application_name }}-configuration-secret-volume"
+              mountPath: "/etc/firmitas/"
+        volumes:
+          - name: "{{ firmitas_application_name }}-configuration-secret-volume"
+            secret:
+              secretName: "{{ firmitas_application_name }}-configuration-secret"
diff --git a/roles/openshift-apps/firmitas/templates/myconfig.py.j2 b/roles/openshift-apps/firmitas/templates/myconfig.py.j2
index 56ee80d863..a2a6b92da9 100644
--- a/roles/openshift-apps/firmitas/templates/myconfig.py.j2
+++ b/roles/openshift-apps/firmitas/templates/myconfig.py.j2
@@ -56,10 +56,10 @@ Variables related to probing
 """
 
 # The location of the X.509 standard TLS certificates
-certloca = "/etc/firmitas/certs/"  # noqa : S108
+certloca = "/etc/firmitas/{{ (env == 'staging')|ternary('certificates/staging', 'certificates/production') }}"  # noqa : S108
 
 # The location of the service hostnames and maintainers map
-hostloca = "/etc/firmitas/certlist.yml"  # noqa: S108
+hostloca = "/etc/firmitas/{{ (env == 'staging')|ternary('certificates/staging/staging_certlist.txt', 'certificates/production/production_certlist.txt') }}"  # noqa: S108
 
 """
 Variables related to logging