diff --git a/helmfile/apps/opendesk-services/values-certificates.yaml.gotmpl b/helmfile/apps/opendesk-services/values-certificates.yaml.gotmpl
index faf3eaef..21b7dbb9 100644
--- a/helmfile/apps/opendesk-services/values-certificates.yaml.gotmpl
+++ b/helmfile/apps/opendesk-services/values-certificates.yaml.gotmpl
@@ -68,6 +68,9 @@ selfSigned:
       enabled: true
       password:
         value: {{ .Values.secrets.certificates.password | quote }}
+        secret:
+          name: {{ .Values.externalSecrets.certificates.password.name | quote }}
+          key: {{ .Values.externalSecrets.certificates.password.key | quote }}
 
 wildcard: {{ .Values.certificate.wildcard }}
 ...
diff --git a/helmfile/environments/default/external_secrets.yaml.gotmpl b/helmfile/environments/default/external_secrets.yaml.gotmpl
new file mode 100644
index 00000000..49ee3a6f
--- /dev/null
+++ b/helmfile/environments/default/external_secrets.yaml.gotmpl
@@ -0,0 +1,11 @@
+{{/*
+SPDX-FileCopyrightText: 2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+externalSecrets:
+  certificates:
+    password :
+      name: ~
+      key: ~
+...
\ No newline at end of file