diff --git a/Dockerfile b/Dockerfile
index 11de0a6..eb7fbb4 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -2,7 +2,7 @@ FROM osixia/phpldapadmin
 ENV DEBIAN_FRONTEND=noninteractive
 RUN apt update && \
     apt install --no-install-recommends -y ca-certificates dnsutils iputils-ping && \
-    rm -rf /var/lib/apt/lists/*
-COPY ldap.conf /etc/ldap/ldap.conf
-COPY startup.sh /container/service/phpldapadmin/startup.sh
-
+    rm -rf /var/lib/apt/lists/* && \
+    rm /etc/ldap/ldap.conf
+COPY ldap_startup.sh /container/service/ldap-client/startup.sh
+COPY www_startup.sh /container/service/phpldapadmin/startup.sh
diff --git a/README.md b/README.md
index 6ff8f2b..f22405c 100644
--- a/README.md
+++ b/README.md
@@ -1,7 +1,8 @@
 Extended from Osixia/phpldapadmin
 
   - Adds ca-certificates package
-  - Points ldap.conf TLS_CACERT to the ISRG Root X1 CA (allows using let's Encrypt certificates for ldaps) 
+  - Points ldap.conf TLS_CACERT to a pem file under /etc/ssl/certs specified by 
   - Rips out the config.php bootstrap from startup
+  - Rips out most of the ldap client startup, opting to use a system CA cert instead
   - Expects an existing config (ie a volume mounted configMap) present at /container/service/phpldapadmin/assets/config/config.php 
   - The read-only config mount will be copied to /var/www/phpldapadmin/config/config.php at startup and chowned to www-data
diff --git a/ldap.conf b/ldap.conf
deleted file mode 100644
index e5d275e..0000000
--- a/ldap.conf
+++ /dev/null
@@ -1 +0,0 @@
-TLS_CACERT /etc/ssl/certs/ISRG_Root_X1.pem
diff --git a/ldap_startup.sh b/ldap_startup.sh
new file mode 100755
index 0000000..cc2b5b7
--- /dev/null
+++ b/ldap_startup.sh
@@ -0,0 +1,24 @@
+#!/bin/bash -e
+
+# set -x (bash debug) if log level is trace
+# https://github.com/osixia/docker-light-baseimage/blob/stable/image/tool/log-helper
+log-helper level eq trace && set -x
+
+www_data_homedir=$( getent passwd "www-data" | cut -d: -f6 )
+
+FIRST_START_DONE="${CONTAINER_STATE_DIR}/docker-ldap-client-first-start-done"
+# container first start
+if [ ! -e "$FIRST_START_DONE" ]; then
+
+  if [ "${PHPLDAPADMIN_LDAP_CLIENT_TLS,,}" == "true" ]; then
+
+    echo "TLS_REQCERT $PHPLDAPADMIN_LDAP_CLIENT_TLS_REQCERT" >> /etc/ldap/ldap.conf
+    echo "TLS_CACERT /etc/ssl/certs/$PHPLDAPADMIN_LDAP_CLIENT_TLS_CA_CRT_FILENAME" >> /etc/ldap/ldap.conf
+
+  fi
+
+  touch $FIRST_START_DONE
+
+fi
+
+exit 0
\ No newline at end of file
diff --git a/startup.sh b/www_startup.sh
similarity index 100%
rename from startup.sh
rename to www_startup.sh