diff --git a/global/overlay/etc/puppet/modules/cdn/files/bootstrap-client b/global/overlay/etc/puppet/modules/cdn/files/bootstrap-client
new file mode 100644
index 0000000..53229d3
--- /dev/null
+++ b/global/overlay/etc/puppet/modules/cdn/files/bootstrap-client
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+# Create /root/.step, executed by puppet
+CA_FINGERPRINT=$(step certificate fingerprint /opt/step-ca/data/certs/root_ca.crt)
+step ca bootstrap --ca-url https://localhost:9000 --fingerprint "$CA_FINGERPRINT"
diff --git a/global/overlay/etc/puppet/modules/cdn/manifests/ca.pp b/global/overlay/etc/puppet/modules/cdn/manifests/ca.pp
index 708cdcf..1fb6c94 100644
--- a/global/overlay/etc/puppet/modules/cdn/manifests/ca.pp
+++ b/global/overlay/etc/puppet/modules/cdn/manifests/ca.pp
@@ -51,6 +51,14 @@ class cdn::ca(
     content => file('cdn/ca/set-provisioner-pw'),
   }
 
+  file { '/opt/step-ca/init/scripts/bootstrap-client':
+    ensure  => file,
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0755',
+    content => file('cdn/ca/bootstrap-client'),
+  }
+
   file { '/opt/step-ca/init/deb':
     ensure => directory,
     owner  => 'root',
@@ -103,4 +111,9 @@ class cdn::ca(
     compose_filename => 'docker-compose.yml',
     description      => 'SUNET CDN CA',
   }
+
+  exec { '/opt/step-ca/init/scripts/bootstrap-client':
+    creates => '/root/.step/config/defaults.json',
+    onlyif  => 'test -f /opt/step-ca/data/certs/root_ca.crt'
+  }
 }