diff --git a/files/snster-kaz/hoster-a/kaz1/provision.sh b/files/snster-kaz/hoster-a/kaz1/provision.sh
index b7f5800..1220759 100644
--- a/files/snster-kaz/hoster-a/kaz1/provision.sh
+++ b/files/snster-kaz/hoster-a/kaz1/provision.sh
@@ -55,10 +55,13 @@ echo "export SNSTERGUARD='true'" >> /root/.bashrc
 
 
 # On place les certifs
+# On place les certifs
+if  [ -f tls/root_ca.crt ]; then
+  cp -ar tls/root_ca.crt /usr/local/share/ca-certificates/
+  /usr/sbin/update-ca-certificates --fresh
+fi
 if  [ -d letsencrypt ]; then
   cp -ar letsencrypt /etc/
-  cp /etc/letsencrypt/local/rootCA.pem /usr/local/share/ca-certificates/rootCA.crt
-  /usr/sbin/update-ca-certificates --fresh
 fi
 
 # On sauve le proxy APT
diff --git a/files/snster-kaz/hoster-b/kaz2/provision.sh b/files/snster-kaz/hoster-b/kaz2/provision.sh
index 38f79a9..68e6b20 100644
--- a/files/snster-kaz/hoster-b/kaz2/provision.sh
+++ b/files/snster-kaz/hoster-b/kaz2/provision.sh
@@ -55,10 +55,12 @@ echo "export SNSTERGUARD='true'" >> /root/.bashrc
 
 
 # On place les certifs
+if  [ -f tls/root_ca.crt ]; then
+  cp -ar tls/root_ca.crt /usr/local/share/ca-certificates/
+  /usr/sbin/update-ca-certificates --fresh
+fi
 if  [ -d letsencrypt ]; then
   cp -ar letsencrypt /etc/
-  cp /etc/letsencrypt/local/rootCA.pem /usr/local/share/ca-certificates/rootCA.crt
-  /usr/sbin/update-ca-certificates --fresh
 fi
 
 # On sauve le proxy APT
diff --git a/files/snster-kaz/isp-a/home/provision.sh b/files/snster-kaz/isp-a/home/provision.sh
index 52b6a64..9db8a76 100644
--- a/files/snster-kaz/isp-a/home/provision.sh
+++ b/files/snster-kaz/isp-a/home/provision.sh
@@ -23,9 +23,8 @@ if [ -f /clawsmail/addclawsuser.sh ]; then
 fi
 
 # On place les certifs
-if  [ -d letsencrypt ]; then
-  cp -ar letsencrypt /etc/
-  cp /etc/letsencrypt/local/rootCA.pem /usr/local/share/ca-certificates/root.crt
+if  [ -f tls/root_ca.crt ]; then
+  cp -ar tls/root_ca.crt /usr/local/share/ca-certificates/
   /usr/sbin/update-ca-certificates --fresh
 fi
 
@@ -34,7 +33,7 @@ echo -e '{
  "policies": {
    "Certificates": {
       "ImportEnterpriseRoots": true,
-      "Install": ["/etc/ssl/certs/root.pem"]
+      "Install": ["/etc/ssl/certs/root_ca.pem"]
    }
  }
 }' > /usr/lib/firefox-esr/distribution/policies.json
diff --git a/files/snster-kaz/mica/infra/provision.sh b/files/snster-kaz/mica/infra/provision.sh
index f514752..efd4725 100644
--- a/files/snster-kaz/mica/infra/provision.sh
+++ b/files/snster-kaz/mica/infra/provision.sh
@@ -14,6 +14,11 @@ apt-get update
 DEBIAN_FRONTEND=noninteractive apt-get install -y unbound
 cp dns.conf /etc/unbound/unbound.conf.d/
 
+# On place les certifs
+if  [ -f tls/root_ca.crt ]; then
+  cp -ar tls/root_ca.crt /usr/local/share/ca-certificates/
+  /usr/sbin/update-ca-certificates --fresh
+fi
 
 # Install smallstep CA / ACME server
 cd /tmp
@@ -23,7 +28,7 @@ wget "https://dl.smallstep.com/gh-release/certificates/gh-release-header/v0.24.2
 dpkg -i step-ca_0.24.2_amd64.deb
 
 echo "password" > /root/ca-passwordfile
-step ca init --deployment-type=standalone --name="Kaz CA" --dns="ca.mica.sns" --acme --address=":443" --provisioner="contact@kaz.sns" --password-file="/root/ca-passwordfile" --root="letsencrypt/local/rootCA.pem" --key "letsencrypt/local/rootCA-key.pem"
+step ca init --deployment-type=standalone --name="Kaz CA" --dns="ca.mica.sns" --acme --address=":443" --provisioner="contact@kaz.sns" --password-file="/root/ca-passwordfile" --root="${DIR}/tls/root_ca.crt" --key "${DIR}/tls/root_ca_key"
 echo -e '#!/bin/sh\nstep-ca --password-file /root/ca-passwordfile' >> /etc/rc.local
 chmod +x /etc/rc.local
 
diff --git a/files/vm-provision.sh b/files/vm-provision.sh
index 15755eb..6fde8e4 100755
--- a/files/vm-provision.sh
+++ b/files/vm-provision.sh
@@ -143,48 +143,25 @@ SystemMaxFileSize=2M
 EOF
     fi
 
-    # CA et certifs avec mkcert
-
-    echo -e "\n    #### mkcert\n"
-    DEBIAN_FRONTEND=noninteractive apt-get install -y libnss3-tools
-
-    mkdir -p /root/mkcert
-    cd /root/mkcert
-    if [ ! -f mkcert ]; then
-	     wget https://github.com/FiloSottile/mkcert/releases/download/v1.4.3/mkcert-v1.4.3-linux-amd64 -O mkcert
-	     chmod +x mkcert
-	     mkdir -p /etc/letsencrypt/local/
-       export CAROOT=/etc/letsencrypt/local/
-       /root/mkcert/mkcert -install      # CA dans /etc/letsencrypt/local/
-       cd "${CAROOT}"
-	  cat > "${CAROOT}/kaz.sns.cnf" <<EOF
-[ req ]
-prompt = no
-distinguished_name = dn
-req_extensions = req_ext
-
-[ dn ]
-CN = *.kaz.sns
-emailAddress = admin@kaz.sns
-O = KAZ
-OU = Dev
-L = Vannes
-ST = France
-C = FR
-
-[ req_ext ]
-subjectAltName = @alt_names
-
-[alt_names]
-DNS.0 = *.kaz.sns
-EOF
-		openssl req -new -newkey rsa:2048 -sha256 -nodes -keyout kaz.sns.key -out kaz.sns.csr -config kaz.sns.cnf
-        /root/mkcert/mkcert -csr "${CAROOT}/kaz.sns.csr" # cert et clé dans /etc/letsencrypt/local/
+    # CA et certifs avec smallstep
 
-     	mkdir -p /etc/letsencrypt/live/kaz.sns/
-       ln -s ../../local/_wildcard.kaz.sns.pem /etc/letsencrypt/live/kaz.sns/fullchain.pem
-       ln -s ../../local/kaz.sns.key /etc/letsencrypt/live/kaz.sns/privkey.pem
-    fi
+    echo -e "\n    #### smallstep\n"
+    cd /tmp
+    wget "https://dl.smallstep.com/gh-release/cli/gh-release-header/v0.24.4/step-cli_0.24.4_amd64.deb"
+    dpkg -i step-cli_0.24.4_amd64.deb
+    echo "password" > /root/ca-passwordfile
+    step ca init --deployment-type=standalone --name="Kaz CA" --dns="ca.mica.sns" --acme --address=":443" --provisioner="contact@kaz.sns" --password-file="/root/ca-passwordfile"
+
+    mkdir -p /root/tls
+    cp /root/.step/certs/root_ca.crt /root/tls/
+    cp /root/.step/secrets/root_ca_key /root/tls/
+    step crypto change-pass /root/tls/root_ca_key --no-password --insecure --password-file="/root/ca-passwordfile" --force
+
+    step certificate create "*.kaz.sns" /root/tls/wildcard.crt /root/tls/wildcard.key --profile leaf --ca /root/.step/certs/intermediate_ca.crt --ca-key /root/.step/secrets/intermediate_ca_key --ca-password-file /root/ca-passwordfile --bundle --force --no-password --insecure
+
+   	mkdir -p /etc/letsencrypt/live/kaz.sns/
+    ln -sf /root/tls/wildcard.crt /etc/letsencrypt/live/kaz.sns/fullchain.pem
+    ln -sf /root/tls/wildcard.key /etc/letsencrypt/live/kaz.sns/privkey.pem
 
     # Cache docker registry
     echo "proxy:
@@ -219,10 +196,10 @@ auth:
     cp -ar ${VAGRANT_SRC_DIR}/snster-kaz /root
 
     # crypto keys
-    cp -ar /etc/letsencrypt /root/snster-kaz/hoster-a/kaz1/
-    cp -ar /etc/letsencrypt /root/snster-kaz/isp-a/home/
-    cp -ar /etc/letsencrypt /root/snster-kaz/hoster-b/kaz2/
-    cp -ar /etc/letsencrypt /root/snster-kaz/mica/infra/
+    cp -ar /root/tls /etc/letsencrypt /root/snster-kaz/hoster-a/kaz1/
+    cp -ar /root/tls /etc/letsencrypt /root/snster-kaz/hoster-b/kaz2/
+    cp -ar /root/tls /root/snster-kaz/isp-a/home/
+    cp -ar /root/tls /root/snster-kaz/mica/infra/
 
 
     # On lie le filesystem de kaz-prod dans le /kaz de la VM pour le dév
diff --git a/files/vm-upgrade.sh b/files/vm-upgrade.sh
index 89c32bd..45fc7b2 100755
--- a/files/vm-upgrade.sh
+++ b/files/vm-upgrade.sh
@@ -26,10 +26,10 @@ git switch "${KAZBRANCH}"
 # On écrase les anciens fichiers
 cp -ar /tmp/kaz-vagrant/files/snster-kaz /root/
 # crypto keys
-cp -ar /etc/letsencrypt /root/snster-kaz/hoster-a/kaz1/
-cp -ar /etc/letsencrypt /root/snster-kaz/hoster-b/kaz2/
-cp -ar /etc/letsencrypt /root/snster-kaz/isp-a/home/
-cp -ar /etc/letsencrypt /root/snster-kaz/mica/infra/
+cp -ar /root/tls /etc/letsencrypt /root/snster-kaz/hoster-a/kaz1/
+cp -ar /root/tls /etc/letsencrypt /root/snster-kaz/hoster-b/kaz2/
+cp -ar /root/tls /root/snster-kaz/isp-a/home/
+cp -ar /root/tls /root/snster-kaz/mica/infra/
 
 # On détruit et reconstruit tout sauf kaz-prod
 SNSTER="snster -c /root/snster-kaz"