diff --git a/vars/applyConfigPolicy.groovy b/vars/applyConfigPolicy.groovy
index 3cb73b8..5ef33d6 100644
--- a/vars/applyConfigPolicy.groovy
+++ b/vars/applyConfigPolicy.groovy
@@ -18,23 +18,33 @@ def call(rw_limit, stages) {
             ]) {
                 node(POD_LABEL) {
                     checkout scm
-                    withEnv([
-                        "HOME=${WORKSPACE}",
-                        "KRB5CCNAME=${WORKSPACE}/.krb5cc",
-                        'ANSIBLE_SSH_EXTRA_ARGS=-A',
+                    withCredentials([
+                        file(
+                            credentialsId: 'jenkins-cfgmgmt-cert',
+                            variable: 'SSHCERT',
+                        )
                     ]) {
-                        container('ansible') {
-                            try {
-                                sshagent(['jenkins-sudo-sshkey']) {
+                        withEnv([
+                            "HOME=${WORKSPACE}",
+                            "KRB5CCNAME=${WORKSPACE}/.krb5cc",
+                            "ANSIBLE_SSH_EXTRA_ARGS=-A -oCertificateFile=${SSHCERT}",
+                        ]) {
+                            container('ansible') {
+                                try {
                                     stageKinit()
-                                    stageRemountRW(rw_limit)
-                                    generateStages(stages)
-                                    stageRemountRO(rw_limit)
+                                    sshagent([
+                                        'jenkins-cfgmgmt',
+                                        'jenkins-sudo-sshkey',
+                                    ]) {
+                                        stageRemountRW(rw_limit)
+                                        generateStages(stages)
+                                        stageRemountRO(rw_limit)
+                                    }
+                                } catch (err) {
+                                    postFailure(err)
+                                } finally {
+                                    postCleanup()
                                 }
-                            } catch (err) {
-                                postFailure(err)
-                            } finally {
-                                postCleanup()
                             }
                         }
                     }