diff --git a/ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/main.yml b/ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/main.yml
index e3c2e74..d1f09af 100644
--- a/ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/main.yml
+++ b/ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/main.yml
@@ -116,6 +116,22 @@
     kubeconfig: "{{ kubeconfig.path }}"
     values: "{{ components.stepcertificates.chart_values }}"
 
+- name: Retrieve step-ca configuration
+  kubernetes.core.k8s_log:
+    kind: Job
+    name: step-certificates
+    namespace: step-ca
+    kubeconfig: "{{ kubeconfig.path }}"
+  register: stepca_bootstraplog
+
+- name: Install root CA in system truststore
+  ansible.builtin.shell:
+    cmd: |
+      step ca bootstrap \
+        --ca-url={{ stepca_bootstraplog.log | regex_search('CA URL: (.+)', '\\1') | first }} \
+        --fingerprint={{ stepca_bootstraplog.log | regex_search('CA Fingerprint: (.+)', '\\1') | first }} \
+        --install
+
 - name: Install harbor chart
   kubernetes.core.helm:
     name: harbor
diff --git a/ansible/vars/metacluster.yml b/ansible/vars/metacluster.yml
index 4d647ec..7c6c7c3 100644
--- a/ansible/vars/metacluster.yml
+++ b/ansible/vars/metacluster.yml
@@ -13,16 +13,23 @@ platform:
     - name: traefik
       namespace: kube-system
       config: |2
+            additionalArguments:
+              - "--certificatesResolvers.stepca.acme.caserver=https://step-certificates.step-ca.svc.cluster.local/acme/acme/directory"
+              - "--certificatesResolvers.stepca.acme.email=admin"
+              - "--certificatesResolvers.stepca.acme.httpChallenge=true"
+              - "--certificatesResolvers.stepca.acme.httpChallenge.entryPoint=web"
+              - "--certificatesResolvers.stepca.acme.storage=/data/acme.json"
+              - "--certificatesResolvers.stepca.acme.tlsChallenge=true"
             globalArguments: []
+            ingressRoute:
+              dashboard:
+                enabled: false
             ports:
               ssh:
                 port: 8022
                 protocol: TCP
               web:
                 redirectTo: websecure
-            ingressRoute:
-              dashboard:
-                enabled: false
 
   helm_repositories:
     - name: longhorn
@@ -83,8 +90,12 @@ components:
       chart_values: !unsafe |
         expose:
           ingress:
+            annotations: {}
             hosts:
               core: registry.{{ vapp['metacluster.fqdn'] }}
+          tls:
+            certSource: none
+            enabled: false
         externalURL: https://registry.{{ vapp['metacluster.fqdn'] }}
         harborAdminPassword: "{{ vapp['guestinfo.rootpw'] }}"
         notary: