diff --git a/.drone/build.sh b/.drone/build.sh
index 05571a6..307b1b7 100644
--- a/.drone/build.sh
+++ b/.drone/build.sh
@@ -1,2 +1,2 @@
-echo $CA_CRT > docker-dind/CA_crt.crt
+echo "${CA_CRT}" > docker-dind/CA_crt.crt
 docker build docker-dind -t ${REGISTRY_DOMAIN}:${REGISTRY_PORT}/docker-dind
diff --git a/.drone/deploy.sh b/.drone/deploy.sh
index 4582d81..55c43a8 100644
--- a/.drone/deploy.sh
+++ b/.drone/deploy.sh
@@ -1,4 +1,7 @@
 docker stack rm squid
 echo 'sleeping...zzz'
 sleep 60
+mkdir -p .secrets
+echo "${CA_CRT}" > .secrets/ca.crt
+echo "${CA_KEY}" > .secrets/ca.key
 docker stack deploy -c docker-compose.yml squid
diff --git a/.drone/drone-home.jsonnet b/.drone/drone-home.jsonnet
index 4da3b5e..f53deac 100644
--- a/.drone/drone-home.jsonnet
+++ b/.drone/drone-home.jsonnet
@@ -9,7 +9,9 @@ local register = import 'node_modules/@sigyl/jsonnet-drone/register.libsonnet';
   deploy(
     'squid',
     '/stack/',
-    [],
+    [
+      'CA_CRT',
+    ],
     publicSecrets,
     secretSecrets,
     [
diff --git a/.drone/drone-home.yml b/.drone/drone-home.yml
index a6efb7d..adc924d 100644
--- a/.drone/drone-home.yml
+++ b/.drone/drone-home.yml
@@ -35,6 +35,7 @@ steps:
     - drone_repo_name
     - drone_repo_namespace
     - ca_crt
+    - ca_crt
     - local_domain
     - ca_key
     host: ${SSH_HOST}
@@ -44,6 +45,7 @@ steps:
     script:
     - rm -f env-squid
     - "echo \"export CA_CRT='$${CA_CRT}'\" >> env-squid # \"ca-crt\""
+    - "echo \"export CA_CRT='$${CA_CRT}'\" >> env-squid # \"ca-crt\""
     - "echo \"export LOCAL_DOMAIN='$${LOCAL_DOMAIN}'\" >> env-squid # \"local-domain\""
     - "echo \"export CA_KEY='$${CA_KEY}'\" >> env-squid # \"ca-key\""
     username: ${SSH_USER}
@@ -81,6 +83,9 @@ steps:
   - sh .drone/build.sh
   - sh .drone/push.sh
   - sh .drone/logout.sh
+  environment:
+    CA_CRT:
+      from_secret: ca-crt
   volumes:
   - name: dockersock
     path: /var/run
@@ -101,6 +106,7 @@ steps:
     - ca_crt
     - local_domain
     - ca_key
+    - ca_crt
     host: ${SSH_HOST}
     key: ${SSH_KEY}
     passphrase: ${SSH_PASSPHRASE}
@@ -109,6 +115,7 @@ steps:
     - export CA_KEY=$${CA_KEY}
     - export CA_CRT=$${CA_CRT}
     - export LOCAL_DOMAIN=$${LOCAL_DOMAIN}
+    - export CA_CRT=$${CA_CRT}
     - export DOMAIN=$${DOMAIN}
     - export REGISTRY_DOMAIN=$${REGISTRY_DOMAIN}
     - export REGISTRY_PORT=$${REGISTRY_PORT}
diff --git a/docker-dind/Dockerfile b/docker-dind/Dockerfile
index 6fa9af8..cb2b4d1 100644
--- a/docker-dind/Dockerfile
+++ b/docker-dind/Dockerfile
@@ -1,3 +1,3 @@
 FROM docker:18.06.0-dind
-COPY CA_crt.crt /usr/local/share/ca-certificates/CA_crt.crt
+COPY ./CA_crt.crt /usr/local/share/ca-certificates/CA_crt.crt
 RUN update-ca-certificates