diff --git a/.gitea/workflows/vault.yaml b/.gitea/workflows/vault.yaml
index c6030c9..0ae4c59 100644
--- a/.gitea/workflows/vault.yaml
+++ b/.gitea/workflows/vault.yaml
@@ -20,6 +20,7 @@ concurrency:
   id: vault-secrets
   with:
     url: https://vault.arcodange.lab
+    caCertificate: ${{ secrets.HOMELAB_CA_CERT }}
     jwtGiteaOIDC: ${{ needs.gitea_vault_auth.outputs.gitea_vault_jwt }}
     role: gitea_cicd_webapp
     method: jwt
@@ -30,7 +31,7 @@ concurrency:
 jobs:
   gitea_vault_auth:
     name: Auth with gitea for vault
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-ca
     outputs:
       gitea_vault_jwt: ${{steps.gitea_vault_jwt.outputs.id_token}}
     steps:
@@ -44,13 +45,16 @@ jobs:
     name: Tofu - Vault
     needs:
       - gitea_vault_auth
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-ca
     env:
       OPENTOFU_VERSION: 1.8.2
       TERRAFORM_VAULT_AUTH_JWT: ${{ needs.gitea_vault_auth.outputs.gitea_vault_jwt }}
+      VAULT_CACERT: "${{ github.workspace }}/homelab.pem"
     steps:
       - *vault_step
       - uses: actions/checkout@v4
+      - name: prepare vault self signed cert
+        run: echo -n "${{ secrets.HOMELAB_CA_CERT }}" | base64 -d > $VAULT_CACERT
       - name: terraform apply
         uses: dflook/terraform-apply@v1
         with: