diff --git a/deploy/azure/atst-nginx-configmap.yml b/deploy/azure/atst-nginx-configmap.yml
index b7959845..5f51c7d6 100644
--- a/deploy/azure/atst-nginx-configmap.yml
+++ b/deploy/azure/atst-nginx-configmap.yml
@@ -40,7 +40,7 @@ data:
         listen ${PORT_PREFIX}442 ssl;
         listen [::]:${PORT_PREFIX}442 ssl ipv6only=on;
         ssl_certificate /etc/ssl/atat.crt;
-        ssl_certificate_key /etc/ssl/atat.crt;
+        ssl_certificate_key /etc/ssl/atat.key;
         # additional SSL/TLS settings
         include /etc/nginx/snippets/ssl.conf;
 
@@ -73,7 +73,7 @@ data:
         listen ${PORT_PREFIX}443 ssl;
         listen [::]:${PORT_PREFIX}443 ssl ipv6only=on;
         ssl_certificate /etc/ssl/atat.crt;
-        ssl_certificate_key /etc/ssl/atat.crt;
+        ssl_certificate_key /etc/ssl/atat.key;
         # Request and validate client certificate
         ssl_verify_client on;
         ssl_verify_depth 10;
diff --git a/deploy/azure/azure.yml b/deploy/azure/azure.yml
index e8a9eacb..02952029 100644
--- a/deploy/azure/azure.yml
+++ b/deploy/azure/azure.yml
@@ -70,14 +70,14 @@ spec:
               mountPath: "/etc/nginx/.htpasswd"
               subPath: .htpasswd
             - name: nginx-client-ca-bundle
-              mountPath: "/etc/ssl/"
+              mountPath: "/etc/ssl/client-ca-bundle.pem"
+              subPath: "client-ca-bundle.pem"
             - name: acme
               mountPath: "/usr/share/nginx/html/.well-known/acme-challenge/"
             - name: snippets
               mountPath: "/etc/nginx/snippets/"
             - name: nginx-secret
               mountPath: "/etc/ssl/"
-              readOnly: true
       volumes:
         - name: atst-config
           secret:
@@ -89,7 +89,10 @@ spec:
         - name: nginx-client-ca-bundle
           configMap:
             name: nginx-client-ca-bundle
-            defaultMode: 0666
+            defaultMode: 0444
+            items:
+              - key: "client-ca-bundle.pem"
+                path: "client-ca-bundle.pem"
         - name: nginx-config
           configMap:
             name: atst-nginx
@@ -134,9 +137,9 @@ spec:
             options:
               usepodidentity: "true"
               keyvaultname: "atat-vault-test"
-              keyvaultobjectnames: "dhparam4096;master-cert"
-              keyvaultobjectaliases: "dhparam.pem;atat.crt"
-              keyvaultobjecttypes: "secret;cert"
+              keyvaultobjectnames: "dhparam4096;master-cert;master-cert"
+              keyvaultobjectaliases: "dhparam.pem;atat.key;atat.crt"
+              keyvaultobjecttypes: "secret;secret;secret"
               tenantid: $TENANT_ID
 ---
 apiVersion: extensions/v1beta1
diff --git a/deploy/overlays/staging/flex_vol.yml b/deploy/overlays/staging/flex_vol.yml
index ef8ca168..0ebeea84 100644
--- a/deploy/overlays/staging/flex_vol.yml
+++ b/deploy/overlays/staging/flex_vol.yml
@@ -10,4 +10,4 @@ spec:
           flexVolume:
             options:
               keyvaultname: "atat-vault-test"
-              keyvaultobjectnames: "dhparam4096;staging-cert"
+              keyvaultobjectnames: "dhparam4096;staging-cert;staging-cert"