diff --git a/firewall-turris-download.sh b/firewall-turris-download.sh
index 1373f850bae51de711961d86ab132ca4832f49ec..d0d3f0b9ff3af3fd296fd5849c70d2fffbb3a2c3 100755
--- a/firewall-turris-download.sh
+++ b/firewall-turris-download.sh
@@ -94,18 +94,11 @@ TEST_SIGN_KEY_URL="https://api.turris.cz/firewall-test/turris-rules.pub"
 TEST_IPSETS_URL="https://api.turris.cz/firewall-test/turris-ipsets.gz"
 TEST_IPSETS_SIGN_URL="${TEST_IPSETS_URL}.sign"
 
-CRL_FILE_PERSISTENT="/etc/ssl/crl.pem"
-CRL_FILE_TEMPORAL="/tmp/crl.pem"
+CRL_FILE="/etc/ssl/crl.pem"
+CACERT_FILE="/etc/ssl/turris.pem"
 
 BIN_DIR="/usr/share/firewall"
 
-# Temporal crl file should be up-to date
-if [ -f "${CRL_FILE_TEMPORAL}" ]; then
-    CRL_FILE="${CRL_FILE_TEMPORAL}"
-else
-    CRL_FILE="${CRL_FILE_PERSISTENT}"
-fi
-
 # Return md5 of a file the file should exist
 file_md5() {
     local file="$1"
@@ -130,7 +123,7 @@ download() {
         url="$master_url"
     fi
 
-    curl -fs --cacert /etc/ssl/startcom.pem --crlfile "${CRL_FILE}" "${url}" -o "${destination}"
+    curl -fs --cacert ${CACERT_FILE} --crlfile "${CRL_FILE}" "${url}" -o "${destination}"
     if [ $? -eq 0 ]; then
         return 0
     else
@@ -236,7 +229,7 @@ mkdir -p "${DOWNLOAD_DIR}"
 
 if test_branch ; then
     if [ ! -f "${TEST_SIGN_KEY}" ] ; then
-        curl -fs --cacert /etc/ssl/startcom.pem --crlfile "${CRL_FILE}" "${TEST_SIGN_KEY_URL}" -o "${TEST_SIGN_KEY}"
+        curl -fs --cacert ${CACERT_FILE} --crlfile "${CRL_FILE}" "${TEST_SIGN_KEY_URL}" -o "${TEST_SIGN_KEY}"
     fi
     test="true"
 else