diff --git a/base/vault-namespace/ca-server.yaml b/base/vault-namespace/ca-server.yaml
new file mode 100644
index 0000000..572fe6f
--- /dev/null
+++ b/base/vault-namespace/ca-server.yaml
@@ -0,0 +1,53 @@
+# vault-ca-cert-server is used to distribute frequently rotating vault CA cert
+piVersion: v1
+kind: Service
+metadata:
+  labels:
+    name: vault-ca-cert
+  name: vault-ca-cert
+spec:
+  selector:
+    app: vault-ca-cert-server
+  ports:
+    - name: http-file-serve
+      port: 8100
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: vault-ca-cert-server
+  labels:
+    app: vault-ca-cert-server
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: vault-ca-cert-server
+  template:
+    metadata:
+      annotations:
+        prometheus.io/scrape: "true"
+        prometheus.io/port: "8100"
+      labels:
+        app: vault-ca-cert-server
+    spec:
+      containers:
+        - name: vault-ca-cert-server
+          image: quay.io/utilitywarehouse/kube-ca-cert-server:v0.0.4
+          args:
+            - "-p=8100"
+            - "-f=/etc/tls/ca.crt"
+          ports:
+            - name: http-file-serve
+              containerPort: 8100
+          volumeMounts:
+            - name: vault-tls
+              mountPath: /etc/tls
+      volumes:
+        - name: vault-tls
+          secret:
+            secretName: vault-tls
+            defaultMode: 0400
+            items:
+              - key: ca.crt
+                path: ca.crt
diff --git a/base/vault-namespace/kustomization.yaml b/base/vault-namespace/kustomization.yaml
index bc51919..2abed92 100644
--- a/base/vault-namespace/kustomization.yaml
+++ b/base/vault-namespace/kustomization.yaml
@@ -1,6 +1,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
+  - ca-server.yaml
   - rbac.yaml
   - vault.yaml
   - vault-pki.yaml