diff --git a/cmd/hepto/config.go b/cmd/hepto/config.go
index 3030b1a50839f0eb589ce6bc7102ce21882fdebd..f9f95ac27c4fbfa4c0481d1deffb5a306e2c31a6 100644
--- a/cmd/hepto/config.go
+++ b/cmd/hepto/config.go
@@ -35,12 +35,14 @@ func (c *Config) Complete() error {
 	c.Container.Logger = c.Logger
 	c.Cluster.Logger = c.Logger
 	c.Cluster.ZapLogger = logger
+	c.Cluster.CertsPath = "/certs"
 	// Setup paths and container settings
 	c.Container.Data = path.Join(c.DataDir, c.Cluster.Name, c.Node.Name)
 	err = os.MkdirAll(c.Container.Data, 0o700)
 	if err != nil {
 		return err
 	}
+	c.Container.Mounts[c.Cluster.CertsPath] = path.Join(c.Container.Data, "certs")
 	c.Container.Name = c.Node.Name
 	c.Container.Capabilities = additionalCapabilities
 	c.Container.Devices = additionalDevices
diff --git a/pkg/cluster/certs.go b/pkg/cluster/certs.go
index 659b6023d982a13809110fe7e4c083a63ceaf195..a7c7bed21a416da26554c64172172b268d0f0a0c 100644
--- a/pkg/cluster/certs.go
+++ b/pkg/cluster/certs.go
@@ -2,6 +2,7 @@ package cluster
 
 import (
 	"os"
+	"path"
 
 	"forge.tedomum.net/acides/hepto/hepto/pkg/pki"
 )
@@ -9,12 +10,12 @@ import (
 func (c *Cluster) initCerts() {
 	// Prepare the cluster PKI
 	if c.node.Role == Master {
-		ca, err := pki.NewClusterCA("/pki")
+		ca, err := pki.NewClusterCA(path.Join(c.settings.CertsPath, "pki"))
 		if err != nil {
 			c.settings.Logger.Error(err, "could not initialize pki")
 			os.Exit(1)
 		}
-		masterCerts, err := pki.NewMasterCerts("/master", c.networking.NodeAddress.IP)
+		masterCerts, err := pki.NewMasterCerts(path.Join(c.settings.CertsPath, "master"), c.networking.NodeAddress.IP)
 		if err != nil {
 			c.settings.Logger.Error(err, "could not initialize master certs")
 			os.Exit(1)
@@ -23,7 +24,7 @@ func (c *Cluster) initCerts() {
 		c.masterCerts = masterCerts
 		c.pki.SignMasterCerts(c.masterCerts)
 	} else {
-		ca, err := pki.EmptyClusterCA("/pki")
+		ca, err := pki.EmptyClusterCA(path.Join(c.settings.CertsPath, "pki"))
 		if err != nil {
 			c.settings.Logger.Error(err, "could not initialize pki")
 			os.Exit(1)
@@ -32,7 +33,7 @@ func (c *Cluster) initCerts() {
 	}
 	c.ml.State.PKI = c.pki
 	// Initialize node certificates
-	certs, err := pki.NewNodeCerts("/certs", c.node.Name)
+	certs, err := pki.NewNodeCerts(path.Join(c.settings.CertsPath, "node"), c.node.Name)
 	if err != nil {
 		c.settings.Logger.Error(err, "could not initialize node certs")
 		os.Exit(1)
diff --git a/pkg/cluster/config.go b/pkg/cluster/config.go
index 5babd6824edaa1109bbb82851f1ff6accb4d6ccb..cfc34bf8355bdfe47721fc59ea108f1f13113341 100644
--- a/pkg/cluster/config.go
+++ b/pkg/cluster/config.go
@@ -13,6 +13,8 @@ type ClusterSettings struct {
 	Logger logr.Logger
 	// Concrete zap logger for etcd
 	ZapLogger *zap.Logger
+	// Path to certificate storage
+	CertsPath string
 	// Cluster name, should be locally unique
 	Name string
 	// Cluster key, must be shared across nodes