diff --git a/deployment/zitadel/cert-job.yaml b/deployment/zitadel/cert-job.yaml
index 7fe8f61..b535362 100644
--- a/deployment/zitadel/cert-job.yaml
+++ b/deployment/zitadel/cert-job.yaml
@@ -1,10 +1,7 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: zitadel-cert-creator
-  annotations: 
-    argocd.argoproj.io/hook: Sync
-    argocd.argoproj.io/sync-wave: "2"
+  name: certs-creator
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -13,18 +10,15 @@ metadata:
 rules:
   - apiGroups: [ "" ]
     resources: [ "secrets" ]
-    verbs: [ "create" ]
+    verbs: [ "create", "patch" ]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: zitadel-cert-creator
-  annotations: 
-    argocd.argoproj.io/hook: Sync
-    argocd.argoproj.io/sync-wave: "2"
+  name: certs-creator
 subjects:
   - kind: ServiceAccount
-    name:  zitadel-cert-creator
+    name:  certs-creator
 roleRef:
   kind: Role
   name: secret-creator
@@ -33,81 +27,122 @@ roleRef:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: create-zitadel-cert
-  annotations: 
-    argocd.argoproj.io/hook: Sync
-    argocd.argoproj.io/sync-wave: "2"
+  name: create-certs
 spec:
   template:
     spec:
       restartPolicy: OnFailure
-      serviceAccountName: zitadel-cert-creator
-      containers:
-      - command:
-          - /bin/bash
-          - -ecx
-          - |
-            cockroach cert create-client \
-            --certs-dir /cockroach/cockroach-certs \
-            --ca-key /cockroach/cockroach-certs/ca.key \
-            --lifetime 8760h \
-            zitadel
-            export SECRET=$(cat <<EOF
-            {
-              "apiVersion": "v1",
-              "kind": "Secret",
-              "data": {
-                "ca.crt": "$(base64 /cockroach/cockroach-certs/ca.crt --wrap 0)",
-                "tls.crt": "$(base64 /cockroach/cockroach-certs/client.zitadel.crt --wrap 0)",
-                "tls.key": "$(base64 /cockroach/cockroach-certs/client.zitadel.key --wrap 0)"
-              },
-              "metadata": {
-                "name": "db-cockroachdb-zitadel-secret"
-              },
-              "type": "kubernetes.io/tls"
-            }
-            EOF
-            )
-            export APISERVER=https://kubernetes.default.svc SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount
-            export NAMESPACE=$(cat ${SERVICEACCOUNT}/namespace) TOKEN=$(cat ${SERVICEACCOUNT}/token) CACERT=${SERVICEACCOUNT}/ca.crt
-            curl \
-            --cacert ${CACERT} \
-            --header "Authorization: Bearer ${TOKEN}" \
-            --header "Content-Type: application/json" \
-            -X POST ${APISERVER}/api/v1/namespaces/${NAMESPACE}/secrets \
-            --data "$(echo -n $SECRET | tr -d '\n')"
-        image: cockroachdb/cockroach:v23.1.8
-        imagePullPolicy: IfNotPresent
-        name: create-zitadel-cert
-        volumeMounts:
-        - mountPath: /cockroach/cockroach-certs/
-          name: certs
+      serviceAccountName: certs-creator
       initContainers:
       - command:
-        - /bin/sh
-        - -c
-        - cp -f /certs/* /cockroach-certs/; chmod 0400 /cockroach-certs/*.key
-        image: busybox
+          - /bin/ash
+          - -c
+          - |
+            function createKey() {
+              USER=$1
+              openssl genrsa -out ${USER}.key 2048
+              echo "created ${USER}.key"
+            }
+
+            function createSigningRequest() {
+              USER=$1
+              openssl req -new -key ${USER}.key -extensions 'v3_req' -out ${USER}.csr -config <(generateServerConfig)
+              echo "created ${USER}.csr"
+            }
+
+            function generateServerConfig() {
+              cat<<EOF
+              [req]
+              distinguished_name = req_distinguished_name
+              x509_extensions = v3_req
+              prompt = no
+              [req_distinguished_name]
+              CN = db-postgresql
+              [v3_req]
+              keyUsage = keyEncipherment, dataEncipherment
+              extendedKeyUsage = serverAuth
+              subjectAltName = DNS:postgres,DNS:zitadel,DNS:db-postgresql
+            EOF
+            }
+
+            function signCertificate() {
+              INCSR=$1 OUTCRT=$2 CA_CRT=$3 CA_KEY=$4
+              openssl x509 -req -in $INCSR -CA $CA_CRT -CAkey $CA_KEY -CAcreateserial -days 365 -out $OUTCRT -extensions v3_req -extfile <(generateServerConfig)
+            }
+
+            function secretJson {
+              USER=$1
+              cat<<EOF
+              {
+                "apiVersion": "v1",
+                "kind": "Secret",
+                "data": {
+                  "ca.crt": "$(base64 -w 0 ./ca.crt)",
+                  "tls.crt": "$(base64 -w 0 ./${USER}.crt)",
+                  "tls.key": "$(base64 -w 0 ./${USER}.key)"
+                },
+                "metadata": {
+                  "name": "${USER}-cert"
+                },
+                "type": "kubernetes.io/tls"
+              }
+            EOF
+            }
+
+            function createCertSecret {
+              USER=$1
+              secretJson ${USER} >> ${USER}-cert.json
+            }
+
+            cd /secret
+
+            # Create a CA key and cert for signing other certs
+            createKey ca
+            openssl req -x509 -new -nodes -key ca.key -days 365 -out ca.crt -subj "/CN=My Custom CA"
+
+            createKey postgres
+            createSigningRequest postgres
+            signCertificate postgres.csr postgres.crt ca.crt ca.key
+            createCertSecret postgres
+
+            createKey zitadel
+            createSigningRequest zitadel
+            signCertificate zitadel.csr zitadel.crt ca.crt ca.key
+            createCertSecret zitadel
+        image: alpine/openssl
         imagePullPolicy: IfNotPresent
-        name: copy-certs
+        name: create-certs
         volumeMounts:
-        - mountPath: /cockroach-certs/
-          name: certs
-        - mountPath: /certs/
-          name: certs-secret
+          - mountPath: /secret
+            name: secret
+      containers:
+      - image: alpine/curl
+        name: apply-certs
+        imagePullPolicy: IfNotPresent
+        command:
+          - /bin/ash
+          - -c
+          - |
+            export APISERVER=https://kubernetes.default.svc SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount
+            export NAMESPACE=$(cat ${SERVICEACCOUNT}/namespace) TOKEN=$(cat ${SERVICEACCOUNT}/token) CACERT=${SERVICEACCOUNT}/ca.crt
+
+            function uploadSecret {
+              USER=$1
+              curl \
+                --cacert ${CACERT} \
+                --header "Authorization: Bearer ${TOKEN}" \
+                --header "Content-Type: application/json" \
+                -X POST ${APISERVER}/api/v1/namespaces/${NAMESPACE}/secrets \
+                --data "$(tr -d '\n' < /secret/${USER}-cert.json)" \
+                > /dev/null || echo "error uploading ${USER} secret: $?"
+            }
+        
+            uploadSecret postgres
+            uploadSecret zitadel
+        volumeMounts:
+          - mountPath: /secret
+            name: secret
       volumes:
-      - emptyDir: {}
-        name: certs
-      - name: certs-secret
-        projected:
-          defaultMode: 420
-          sources:
-          - secret:
-              items:
-              - key: ca.crt
-                mode: 256
-                path: ca.crt
-              - key: ca.key
-                mode: 256
-                path: ca.key
-              name: cockroachdb-ca-secret
+        - name: secret
+          emptyDir:
+            medium: Memory
\ No newline at end of file
diff --git a/deployment/zitadel/cockroach-values.yaml b/deployment/zitadel/cockroach-values.yaml
deleted file mode 100644
index c398106..0000000
--- a/deployment/zitadel/cockroach-values.yaml
+++ /dev/null
@@ -1,13 +0,0 @@
-tls:
-  enabled: true
-    
-annotations:
-  argocd.argoproj.io/hook: Sync
-
-storage:
-  persistentVolume:
-    size: 5Gi
-
-init:
-  jobAnnotations:
-    argocd.argoproj.io/hook: Sync
\ No newline at end of file
diff --git a/deployment/zitadel/kustomization.yaml b/deployment/zitadel/kustomization.yaml
index cb5592a..4938e35 100644
--- a/deployment/zitadel/kustomization.yaml
+++ b/deployment/zitadel/kustomization.yaml
@@ -8,12 +8,12 @@ resources:
   - ./ingressRoute.yaml
 
 helmCharts:
-  - name: cockroachdb
-    repo: https://charts.cockroachdb.com/
-    releaseName: cockroachdb
+  - name: bitnami
+    repo: https://charts.bitnami.com/bitnami
+    releaseName: postgresql
     namespace: generations-heritage
-    version: 12.0.2
-    valuesFile: cockroach-values.yaml
+    version: 12.10.0
+    valuesFile: postgres-values.yaml
   - name: zitadel
     repo: https://charts.zitadel.com
     releaseName: zitadel
diff --git a/deployment/zitadel/postgres-values.yaml b/deployment/zitadel/postgres-values.yaml
new file mode 100644
index 0000000..a183af0
--- /dev/null
+++ b/deployment/zitadel/postgres-values.yaml
@@ -0,0 +1,25 @@
+annotations:
+  argocd.argoproj.io/hook: Sync
+
+volumePermissions:
+  enabled: true
+
+tls:
+  enabled: true
+  certificatesSecret: postgres-cert
+  certFilename: "tls.crt"
+  certKeyFilename: "tls.key"
+
+persistence:
+  size: 2Gi
+
+init:
+  jobAnnotations:
+    argocd.argoproj.io/hook: Sync
+
+env:
+  - name: POSTGRES_PASSWORD
+    valueFrom:
+      secretKeyRef:
+        name: postgres-auth
+        key: admin-password
\ No newline at end of file
diff --git a/deployment/zitadel/secrets.yaml b/deployment/zitadel/secrets.yaml
index 3faf188..a677cf4 100644
--- a/deployment/zitadel/secrets.yaml
+++ b/deployment/zitadel/secrets.yaml
@@ -13,11 +13,11 @@ stringData:
 apiVersion: v1
 kind: Secret
 metadata:
-  name: cockroach-auth
+  name: postgres-auth
   annotations:
     argocd.argoproj.io/hook: PreSync
   labels:
     secret-generator.cs.sap.com/enabled: "true"
 stringData:
-  cockroach-password: "%generate"
+  admin-password: "%generate"
   user-password: "%generate"
diff --git a/deployment/zitadel/values.yaml b/deployment/zitadel/values.yaml
index ba8fa83..4969b8f 100644
--- a/deployment/zitadel/values.yaml
+++ b/deployment/zitadel/values.yaml
@@ -7,18 +7,26 @@ zitadel:
     TLS:
       Enabled: false
     Database:
-      Cockroach:
-        Host: cockroachdb-public
+      Postgres:
+        Host: db-postgresql
+        Port: 5432
+        Database: zitadel
+        MaxOpenConns: 20
+        MaxIdleConns: 10
+        MaxConnLifetime: 30m
+        MaxConnIdleTime: 5m
         User:
+          Username: zitadel
           SSL:
             Mode: verify-full
         Admin:
+          Username: postgres
           SSL:
             Mode: verify-full
 
-  dbSslCaCrtSecret: cockroachdb-ca-secret
-  dbSslAdminCrtSecret: cockroachdb-client-secret
-  dbSslUserCrtSecret: db-cockroachdb-zitadel-secret
+  dbSslCaCrtSecret: postgres-cert
+  dbSslAdminCrtSecret: postgres-cert
+  dbSslUserCrtSecret: zitadel-cert
 
 image:
   repository: ghcr.io/zitadel/zitadel
@@ -40,14 +48,14 @@ env:
         name: zitadel-masterkey
         key: admin-password
 
-  - name: ZITADEL_DATABASE_COCKROACH_USER_PASSWORD
+  - name: ZITADEL_DATABASE_POSTGRES_USER_PASSWORD
     valueFrom:
       secretKeyRef:
-        name: cockroach-auth
+        name: postgres-auth
         key: user-password
 
-  - name: ZITADEL_DATABASE_COCKROACH_ADMIN_PASSWORD
+  - name: ZITADEL_DATABASE_POSTGRES_ADMIN_PASSWORD
     valueFrom:
       secretKeyRef:
-        name: cockroach-auth
-        key: cockroach-password
\ No newline at end of file
+        name: postgres-auth
+        key: admin-password
\ No newline at end of file