diff --git a/systemd/cert-renewer.service b/systemd/cert-renewer.service
new file mode 100644
index 0000000..13593f2
--- /dev/null
+++ b/systemd/cert-renewer.service
@@ -0,0 +1,27 @@
+[Unit]
+Description=Certificate renewal
+After=network-online.target
+Documentation=https://smallstep.com/docs/step-ca/certificate-authority-server-production
+StartLimitIntervalSec=0
+; PartOf=cert-renewer.target
+
+[Service]
+Type=oneshot
+User=root
+
+Environment=CERT_LOCATION=/home/john/soteria/certs/soteria.crt \
+            KEY_LOCATION=/home/john/soteria/certs/soteria.key
+
+; ExecCondition checks if the certificate is ready for renewal,
+; based on the exit status of the command.
+; (In systemd <242, you can use ExecStartPre= here.)
+ExecCondition=/usr/bin/step certificate needs-renewal ${CERT_LOCATION}
+
+; ExecStart renews the certificate, if ExecStartPre was successful.
+ExecStart=/usr/bin/step ca renew --force ${CERT_LOCATION} ${KEY_LOCATION}
+
+ExecStartPost=/usr/bin/openssl x509 -noout -enddate -in ${CERT_LOCATION}
+ExecStartPost=/usr/bin/docker exec caddy caddy reload --config /etc/caddy/Caddyfile
+
+[Install]
+WantedBy=multi-user.target
\ No newline at end of file
diff --git a/systemd/cert-renewer.timer b/systemd/cert-renewer.timer
new file mode 100644
index 0000000..4d62f44
--- /dev/null
+++ b/systemd/cert-renewer.timer
@@ -0,0 +1,19 @@
+[Unit]
+Description=Timer for certificate renewal
+Documentation=https://smallstep.com/docs/step-ca/certificate-authority-server-production
+; PartOf=cert-renewer.target
+
+[Timer]
+Persistent=true
+
+; Run the timer unit every 15 minutes.
+OnCalendar=*:1/15
+
+; Always run the timer on time.
+AccuracySec=1us
+
+; Add jitter to prevent a "thundering hurd" of simultaneous certificate renewals.
+RandomizedDelaySec=5m
+
+[Install]
+WantedBy=timers.target