diff --git a/cacerts/cache-crl b/cacerts/cache-crl
new file mode 100755
index 0000000000000000000000000000000000000000..466674a5bae88030cf6f464a1051ffc862a44b3b
--- /dev/null
+++ b/cacerts/cache-crl
@@ -0,0 +1,29 @@
+#!/bin/bash
+
+# This shall be run on the server regularly, to cache the CRL
+
+set -xe
+
+DIR=$(mktemp -d)
+HIST_DIR="/var/www/crl-hist"
+SYMLINK="/var/www/crl-hist/crl"
+
+trap 'rm -rf "$DIR"' EXIT ABRT QUIT TERM INT
+cd "$DIR"
+
+echo | openssl s_client -connect api.turris.cz:443 -showcerts 2>/dev/null | awk -v c=-1 '/-----BEGIN CERTIFICATE-----/{inc=1;c++} inc {print > (c ".pem")}'
+
+# Make sure we downloaded something
+test -e 0.pem
+for i in *.pem ; do
+	# This is a hack a bit, we expect the hostname to be crl\. something. Our CA satisfies this now and if it breaks, we would find out.
+	openssl x509 -in "$i" -noout -text | grep -o 'http://crl\..*' | xargs curl -s -S >crl.unknown
+	openssl crl -in crl.unknown -inform der -out tmp.pem || openssl crl -in crl.unknown -out tmp.pem
+	test -s tmp.pem
+	cat tmp.pem >>out.pem
+done
+
+FILE="$HIST_DIR"/$(date +%s).pem
+mv out.pem "$FILE"
+chmod a+r "$FILE"
+ln -sf "$FILE" "$SYMLINK"