diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 909e48e0754c59151d03939dd198243419f58697..5ef8d6faf961ef1bcbca52a06bc913c0b368c641 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -143,3 +143,14 @@ push-release-image-nexus:
     - mvn deploy -Pnexus-deploy $MAVEN_DEPLOY_CLI_OPTS $MAVEN_CLI_OPTS
   rules:
     - if: $CI_COMMIT_TAG
+
+
+# Extra jobs
+push-keystore-assembler-image-nexus:
+  stage: publish
+  script:
+    - docker build -f keystore-truststore-from-tls-secret.dockerfile -t keystore-truststore-from-tls-secret:latest .
+    - echo "$NEXUS_PASSWORD" | docker login -u "$NEXUS_USER" --password-stdin nexus.ozg-sh.de
+    - docker tag keystore-truststore-from-tls-secret:latest docker.ozg-sh.de/keystore-truststore-from-tls-secret:latest
+    - docker push docker.ozg-sh.de/keystore-truststore-from-tls-secret:latest
+  when: manual
\ No newline at end of file
diff --git a/keystore-truststore-from-tls-secret.dockerfile b/keystore-truststore-from-tls-secret.dockerfile
new file mode 100644
index 0000000000000000000000000000000000000000..1d8a2c6f49e44000a10893449525a40ff7c58098
--- /dev/null
+++ b/keystore-truststore-from-tls-secret.dockerfile
@@ -0,0 +1,9 @@
+FROM alpine:3.21
+
+RUN apk add --no-cache openssl openjdk11
+
+COPY src/main/resources/store/keystore-truststore-from-tls-secret.sh ./
+
+VOLUME /store /tls
+
+ENTRYPOINT [ "/bin/sh", "keystore-truststore-from-tls-secret.sh" ]
\ No newline at end of file
diff --git a/src/main/helm/templates/deployment.yaml b/src/main/helm/templates/deployment.yaml
index 904a7abb143a875a54995a0cbc3a27447080c615..b0aa5db7112088027d2cc4f0f6ad2c41f706718f 100644
--- a/src/main/helm/templates/deployment.yaml
+++ b/src/main/helm/templates/deployment.yaml
@@ -59,17 +59,7 @@ spec:
             app.kubernetes.io/name: {{ .Release.Name }}
       initContainers:
         - name: init-keystore-and-truststore
-          image: alpine:3.21
-          command: [ "/bin/sh", "-c" ]
-          args:
-            - |
-              apk add --no-cache openssl openjdk11
-
-              echo "[1.0] Import Root CA into Xta-Server-Truststore"
-              keytool -importcert -alias xta-test-root-ca -keystore /store/keystore.jks -storetype JKS -storepass password -file /tls/ca.crt -noprompt
-
-              # Create a PKCS#12 keystore from tls.crt and tls.key
-              openssl pkcs12 -export -in /tls/tls.crt -inkey /tls/tls.key -out /store/keystore.p12 -name xta-test-server -passout pass:password
+          image: docker.ozg-sh.de/keystore-truststore-from-tls-secret:latest
           volumeMounts:
             - name: xta-test-server-tls-store
               mountPath: "/tls/"
diff --git a/src/main/resources/store/keystore-truststore-from-tls-secret.sh b/src/main/resources/store/keystore-truststore-from-tls-secret.sh
new file mode 100755
index 0000000000000000000000000000000000000000..1c89348913b5e2b57ca87d68525fabd94b045e93
--- /dev/null
+++ b/src/main/resources/store/keystore-truststore-from-tls-secret.sh
@@ -0,0 +1,17 @@
+#!/bin/sh
+
+IN_CA_CRT=${IN_CA_CRT-:/tls/ca.crt}
+IN_TLS_KEY=${IN_TLS_KEY-:/tls/tls.key}
+IN_TLS_CRT=${IN_TLS_CRT-:/tls/tls.crt}
+
+OUT_JKS_TRUSTSTORE=${OUT_JKS_TRUSTSTORE-:/store/truststore.jks}
+OUT_JKS_TRUSTSTORE_KEY_ALIAS=${OUT_JKS_TRUSTSTORE_KEY_ALIAS-:xta-test-root-ca}
+OUT_JKS_TRUSTSTORE_KEY_PASSWORD=${OUT_JKS_TRUSTSTORE_KEY_PASSWORD-:password}
+echo "[1.0] Create $OUT_JKS_TRUSTSTORE from $IN_CA_CRT"
+keytool -importcert -alias "$OUT_JKS_TRUSTSTORE_KEY_ALIAS" -keystore "$OUT_JKS_TRUSTSTORE" -storetype JKS -storepass "$OUT_JKS_TRUSTSTORE_KEY_PASSWORD" -file "$IN_CA_CRT" -noprompt
+
+OUT_P12_KEYSTORE=${OUT_P12_KEYSTORE-:/store/keystore.p12}
+OUT_P12_KEYSTORE_KEY_ALIAS=${OUT_P12_KEYSTORE_KEY_ALIAS-:xta-test-server}
+OUT_P12_KEYSTORE_KEY_PASSWORD=${OUT_P12_KEYSTORE_KEY_PASSWORD-:password}
+echo "[2.0] Create $OUT_P12_KEYSTORE from $IN_TLS_KEY and $IN_TLS_CRT"
+openssl pkcs12 -export -in "$IN_TLS_CRT" -inkey "$IN_TLS_KEY" -out "$OUT_P12_KEYSTORE" -name "$OUT_P12_KEYSTORE_KEY_ALIAS" -passout "pass:$OUT_P12_KEYSTORE_KEY_PASSWORD"
\ No newline at end of file