diff --git a/scripts/cert_renew_hook.sh b/scripts/cert_renew_hook.sh
old mode 100644
new mode 100755
diff --git a/scripts/init.sh b/scripts/init.sh
index 4072cc8..cc45d41 100755
--- a/scripts/init.sh
+++ b/scripts/init.sh
@@ -65,3 +65,35 @@ if [[ ! -d ./data/.lego ]]; then
 fi
 
 # Setup cronjob to automatically renew certificates
+[[ ! -f /etc/systemd/system/lego-renew-sso-base23-de.service ]] && cat <<EOF > /etc/systemd/system/lego-renew-sso-base23-de.service && systemctl daemon-reload
+[Unit]
+Description=SSL Certificate renewal for sso.base23.de with LEGO
+Documentation=https://go-acme.github.io/lego/
+Wants=network-online.target
+After=network-online.target
+
+[Service]
+Type=oneshot
+ExecStart=/var/lib/apps/sso.base23.de/scripts/cert_renew.sh
+WorkingDirectory=/var/lib/apps/sso.base23.de/
+User=root
+Group=root
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+[[ ! -f /etc/systemd/system/lego-renew-sso-base23-de.timer ]] && cat <<EOF > /etc/systemd/system/lego-renew-sso-base23-de.timer && systemctl daemon-reload && systemctl enable --now lego-renew-sso-base23-de.timer
+[Unit]
+Description=SSL Certificate renewal for sso.base23.de with LEGO Timer
+
+[Timer]
+OnCalendar=*-*-* 01:32:00
+# add extra delay, here up to 1 hour:
+RandomizedDelaySec=1h
+Persistent=true
+
+[Install]
+WantedBy=timers.target
+EOF