diff --git a/kustomize/pki/resources/private-issuer/ca/cert-init.yaml b/kustomize/pki/resources/private-issuer/ca/cert-init.yaml
new file mode 100644
index 000000000..132c0a930
--- /dev/null
+++ b/kustomize/pki/resources/private-issuer/ca/cert-init.yaml
@@ -0,0 +1,67 @@
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: cert-init
+  namespace: system-pki
+  annotations:
+    fluxcd.io/reconcile: "false"
+  labels:
+    app: cert-init
+spec:
+  backoffLimit: 10
+  template:
+    metadata:
+      labels:
+        app: cert-init
+    spec:
+      serviceAccountName: copy-root-cert
+      containers:
+      - name: cert-init
+        # renovate: datasource=docker depName=kubectl package=bitnami/kubectl
+        image: bitnami/kubectl:1.33.4
+        command:
+          - /bin/sh
+          - -c
+          - |
+            set -e
+            
+            echo "Initializing certificate sync for trust-manager..."
+            
+            # Wait for secret to be available
+            i=1
+            while [ $i -le 30 ]; do
+              if kubectl get secret private-ca-cert -n system-pki >/dev/null 2>&1; then
+                echo "Secret found, proceeding with sync..."
+                break
+              else
+                echo "Waiting for secret (attempt $i/30)..."
+                sleep 10
+              fi
+              i=$((i + 1))
+            done
+            
+            if [ $i -gt 30 ]; then
+              echo "Failed to find secret after 30 attempts" >&2
+              exit 1
+            fi
+            
+            # Execute the shared sync script
+            cp /scripts/sync.sh /tmp/sync.sh
+            /tmp/sync.sh
+            
+            echo "Certificate sync completed successfully - trust-manager can now distribute the CA cert"
+        volumeMounts:
+        - name: script-volume
+          mountPath: /scripts
+          readOnly: true
+        - name: temp-volume
+          mountPath: /tmp
+      restartPolicy: OnFailure
+      volumes:
+      - name: script-volume
+        configMap:
+          name: cert-sync-script
+          defaultMode: 0755
+      - name: temp-volume
+        emptyDir: {} 
diff --git a/kustomize/pki/resources/private-issuer/ca/cert-sync-script.yaml b/kustomize/pki/resources/private-issuer/ca/cert-sync-script.yaml
new file mode 100644
index 000000000..a0fa5adf5
--- /dev/null
+++ b/kustomize/pki/resources/private-issuer/ca/cert-sync-script.yaml
@@ -0,0 +1,49 @@
+---
+# Shared certificate sync script
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: cert-sync-script
+  namespace: system-pki
+  labels:
+    app: cert-sync
+data:
+  sync.sh: |
+    #!/bin/sh
+    set -e
+    
+    echo "Starting certificate sync..."
+    
+    # Check if secret exists
+    if kubectl get secret private-ca-cert -n system-pki >/dev/null 2>&1; then
+      # Get current CA cert
+      kubectl get secret private-ca-cert -n system-pki -o jsonpath='{.data.ca\.crt}' | base64 --decode > /tmp/current_ca.crt
+      
+      # Check if configmap exists and compare
+      if kubectl get configmap private-ca-cert -n system-pki-trust >/dev/null 2>&1; then
+        kubectl get configmap private-ca-cert -n system-pki-trust -o jsonpath='{.data.ca\.crt}' > /tmp/existing_ca.crt
+        
+        if cmp -s /tmp/current_ca.crt /tmp/existing_ca.crt; then
+          echo "Certificates match, no update needed"
+          exit 0
+        else
+          echo "Certificates differ, updating configmap..."
+          kubectl create configmap private-ca-cert \
+            --from-file=ca.crt=/tmp/current_ca.crt \
+            -n system-pki-trust \
+            --dry-run=client -o yaml | kubectl apply -f -
+          echo "ConfigMap updated successfully"
+          exit 0
+        fi
+      else
+        echo "ConfigMap does not exist, creating..."
+        kubectl create configmap private-ca-cert \
+          --from-file=ca.crt=/tmp/current_ca.crt \
+          -n system-pki-trust
+        echo "ConfigMap created successfully"
+        exit 0
+      fi
+    else
+      echo "Secret not found"
+      exit 1
+    fi 
diff --git a/kustomize/pki/resources/private-issuer/ca/cert-sync.yaml b/kustomize/pki/resources/private-issuer/ca/cert-sync.yaml
new file mode 100644
index 000000000..53f3b3782
--- /dev/null
+++ b/kustomize/pki/resources/private-issuer/ca/cert-sync.yaml
@@ -0,0 +1,49 @@
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: cert-sync
+  namespace: system-pki
+  annotations:
+    fluxcd.io/automated: "true"
+  labels:
+    app: cert-sync
+spec:
+  # Run daily at 2 AM
+  schedule: "0 2 * * *"
+  concurrencyPolicy: Replace
+  successfulJobsHistoryLimit: 3
+  failedJobsHistoryLimit: 3
+  jobTemplate:
+    spec:
+      backoffLimit: 3
+      template:
+        metadata:
+          labels:
+            app: cert-sync
+        spec:
+          serviceAccountName: copy-root-cert
+          containers:
+          - name: cert-sync
+            # renovate: datasource=docker depName=kubectl package=bitnami/kubectl
+            image: bitnami/kubectl:1.33.4
+            command:
+              - /bin/sh
+              - -c
+              - |
+                echo "Checking for certificate changes..."
+                /scripts/sync.sh
+            volumeMounts:
+            - name: script-volume
+              mountPath: /scripts
+              readOnly: true
+            - name: temp-volume
+              mountPath: /tmp
+          restartPolicy: OnFailure
+          volumes:
+          - name: script-volume
+            configMap:
+              name: cert-sync-script
+              defaultMode: 0755
+          - name: temp-volume
+            emptyDir: {} 
diff --git a/kustomize/pki/resources/private-issuer/ca/copy-root-cert-job.yaml b/kustomize/pki/resources/private-issuer/ca/copy-root-cert-job.yaml
deleted file mode 100644
index a5cf34652..000000000
--- a/kustomize/pki/resources/private-issuer/ca/copy-root-cert-job.yaml
+++ /dev/null
@@ -1,46 +0,0 @@
----
-apiVersion: batch/v1
-kind: Job
-metadata:
-  name: copy-root-cert-job
-  namespace: system-pki
-spec:
-  backoffLimit: 10
-  template:
-    spec:
-      containers:
-      - name: copy-root-cert
-        # renovate: datasource=docker depName=kubectl package=bitnami/kubectl
-        image: bitnami/kubectl:1.33.4
-        command:
-          - /bin/sh
-          - -c
-          - |
-            set -e
-
-            i=1
-            while [ $i -le 10 ]; do
-              if kubectl get secret private-ca-cert -n system-pki; then
-                kubectl get secret private-ca-cert -n system-pki -o jsonpath='{.data.ca\.crt}' | base64 --decode > /mnt/ca.crt;
-                if ! kubectl get configmap private-ca-cert -n system-pki-trust >/dev/null 2>&1; then
-                  kubectl create configmap private-ca-cert --from-file=ca.crt=/mnt/ca.crt -n system-pki-trust --dry-run=client -o yaml | kubectl apply -f -;
-                fi;
-                break;
-              else
-                echo "waiting for secret";
-                sleep 6;
-              fi;
-              i=$((i + 1))
-              if [ $i -gt 10 ]; then
-                echo "Failed to retrieve secret after 10 attempts" >&2;
-                exit 1;
-              fi;
-            done;
-        volumeMounts:
-        - name: cert-volume
-          mountPath: /mnt
-      restartPolicy: OnFailure
-      volumes:
-      - name: cert-volume
-        emptyDir: {}
-      serviceAccountName: copy-root-cert
diff --git a/kustomize/pki/resources/private-issuer/ca/kustomization.yaml b/kustomize/pki/resources/private-issuer/ca/kustomization.yaml
index c61125cf8..4f67cb9e8 100644
--- a/kustomize/pki/resources/private-issuer/ca/kustomization.yaml
+++ b/kustomize/pki/resources/private-issuer/ca/kustomization.yaml
@@ -4,7 +4,9 @@ resources:
   - ca-certificate.yaml
   - ca-issuer.yaml
   - inject-private-ca-policy.yaml
-  - copy-root-cert-job.yaml
+  - cert-sync-script.yaml
+  - cert-init.yaml
+  - cert-sync.yaml
   - rbac.yaml
   - serviceaccount.yaml
   - trust-bundle.yaml