diff --git a/ccp/modules/datashield-compose.yml b/ccp/modules/datashield-compose.yml
index 8504750..e9e49d3 100644
--- a/ccp/modules/datashield-compose.yml
+++ b/ccp/modules/datashield-compose.yml
@@ -24,7 +24,7 @@ services:
   ############################################ DataSHIELD Server (Opal)
   opal:
     container_name: bridgehead-opal
-    image: obiba/opal:4.5
+    image: docker.verbis.dkfz.de/ccp/dktk-opal:latest
     labels:
       - "traefik.enable=true"
       - "traefik.http.routers.opal_ccp.rule=PathPrefix(`/opal`)"
@@ -44,6 +44,11 @@ services:
       ROCK_HOSTS: "opal-rserver:8085"
       APP_URL: "https://${HOST}/opal"
       APP_CONTEXT_PATH: "/opal"
+      OPAL_PRIVATE_KEY: "/run/secrets/opal-key.pem"
+      OPAL_CERTIFICATE: "/run/secrets/opal-cert.pem"
+    secrets:
+      - opal-cert.pem
+      - opal-key.pem
 
   #    volumes:
   #      - "bridgehead-opal:/srv"
@@ -93,3 +98,9 @@ services:
 #    name: "bridgehead-opal-db"
 #  bridgehead-opal:
 #    name: "bridgehead-opal"
+
+secrets:
+  opal-cert.pem:
+    file: /etc/bridgehead/traefik-tls/opal-cert.pem
+  opal-key.pem:
+    file: /etc/bridgehead/traefik-tls/opal-key.pem
diff --git a/ccp/modules/datashield-setup.sh b/ccp/modules/datashield-setup.sh
index 0bafe6b..3573c8c 100644
--- a/ccp/modules/datashield-setup.sh
+++ b/ccp/modules/datashield-setup.sh
@@ -5,3 +5,6 @@ if [ "$ENABLE_DATASHIELD" == true ];then
   OVERRIDE+=" -f ./$PROJECT/modules/datashield-compose.yml"
 fi
 OPAL_DB_PASSWORD="$(echo \"This is a salt string to generate one consistent password for Opal. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
+if [ ! -e "/etc/bridgehead/traefik-tls/opal-cert.pem" ]; then
+  openssl req -x509 -newkey rsa:4096 -nodes -keyout /etc/bridgehead/traefik-tls/opal-key.pem -out /etc/bridgehead/traefik-tls/opal-cert.pem -days 3650 -subj "/CN=$HOST"
+fi