diff --git a/docker/Dockerfile b/docker/Dockerfile
index 921cc43..d64067f 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -20,8 +20,5 @@ ENV JAVA_OPTS -Djenkins.install.runSetupWizard=false -Dhudson.slaves.WorkspaceLi
 ENV CASC_JENKINS_CONFIG /var/jenkins_home/casc.yaml
 ENV JENKINS_HOME /var/jenkins_home
 
-# get RootCA so that we have it for importing:
-RUN curl -sSL https://platform-nas.gad.local/K-Stufen/cert/Belden-Global-Root-CA.crt -o /tmp/rootCA_Belden.crt
-
 COPY plugins.txt /usr/share/jenkins/ref/plugins.txt
 RUN jenkins-plugin-cli --plugin-file /usr/share/jenkins/ref/plugins.txt
diff --git a/playbooks/getting_started/setup-nwl-jenkins.yaml b/playbooks/getting_started/setup-nwl-jenkins.yaml
index 0841a8b..4d41611 100644
--- a/playbooks/getting_started/setup-nwl-jenkins.yaml
+++ b/playbooks/getting_started/setup-nwl-jenkins.yaml
@@ -63,6 +63,7 @@
         executable: /bin/bash
     - name: Setup trust store containing Belden root CA in Jenkins
       ansible.builtin.shell: |
+        curl -sSL https://platform-nas.gad.local/K-Stufen/cert/Belden-Global-Root-CA.crt -o secrets/.cacerts/rootCA_Belden.crt
         docker-compose up --build -d
         sleep 30s
         docker-compose logs | grep "Jenkins is fully up and running"
@@ -70,7 +71,7 @@
           echo "FAILED to bring Jenkins up --> check docker-compose logs"
         else
           docker exec -it $(docker ps | grep jenkins:nwl | cut -d' ' -f1) /bin/bash
-          keytool -keystore /var/jenkins_home/.cacerts/cacerts -import -alias "Belden Root CA" -file /tmp/rootCA_Belden.crt -noprompt -storepass changeit
+          keytool -keystore /var/jenkins_home/.cacerts/cacerts -import -alias "Belden Root CA" -file /var/jenkins_home/.cacerts/rootCA_Belden.crt -noprompt -storepass changeit
           exit
         fi
         docker-compose down