diff --git a/scripts/push-rprox.sh b/scripts/push-rprox.sh
new file mode 100755
index 0000000..cb8af29
--- /dev/null
+++ b/scripts/push-rprox.sh
@@ -0,0 +1,103 @@
+#!/bin/bash
+########################################################################
+
+certs=(
+    'collector-dn42'
+)
+
+# hosts to push
+hosts=(
+    'rsync.tier2.uk-lon1.burble.dn42'
+    'rsync.tier2.fr-rbx1.burble.dn42'
+    'rsync.tier2.de-fra1.burble.dn42'
+    'rsync.tier2.ca-bhs2.burble.dn42'
+    'rsync.tier2.us-dal3.burble.dn42'
+    'rsync.tier2.sg-sin2.burble.dn42'
+    'rsync.tier2.us-lax1.burble.dn42'
+    'rsync.tier2.hk-hkg1.burble.dn42'
+)
+
+dst="apps/nginx/certs"
+
+########################################################################
+
+# where am I ?
+SCRIPTPATH="$(cd "$(dirname "$0")" ; pwd -P)"
+CERTPATH="$(cd "${SCRIPTPATH}/../certificates/"; pwd -P)"
+echo "Certs are here: $CERTPATH"
+pushd "$CERTPATH"
+
+# create a temp directory
+export TMPDIR="$XDG_RUNTIME_DIR"
+tmp=$(mktemp -d)
+if [ $? -ne 0 -o -z "$tmp"]
+then
+    echo "Failed to create tmp directory"
+    exit 1
+fi
+echo "Created tmp directory: $tmp"
+
+function cleanup {
+    if [ -d "$tmp" ]
+    then
+        echo "Cleaning tmp directory"
+        rm -rf "$tmp" > /dev/null 2>&1
+    fi
+}
+trap cleanup EXIT
+
+export VAULT_ADDR='https://vault.burble.dn42'
+
+########################################################################
+# generate one time key for deployment access
+
+echo "Generating temporary rsync key"
+
+sshkey="${tmp}/rsync_key"
+ssh-keygen -t ed25519 -a 100 -N '' -f "$sshkey"
+
+vault write \
+      -field=signed_key \
+      burble.dn42/ssh/user/sign/rsync \
+      public_key="@${sshkey}.pub" \
+      > "${sshkey}-cert.pub"
+if [ $? -ne 0 ]
+then
+    echo "Failed to generate temporary rsync key"
+    exit 1
+fi
+echo "Key is signed"
+
+# fixup perms
+chmod 0600 "${tmp}"/*
+
+########################################################################
+# create a list of files to push
+
+declare -a flist
+
+echo "Files to copy:"
+for cert in ${certs[@]}
+do
+    crt="${cert}/${cert}.crt"
+    key="${cert}/${cert}.key"
+    echo " - $crt"
+    echo " - $key"
+    
+    flist+=( "$crt" "$key" )
+done
+
+# and push to hosts
+
+for host in ${hosts[@]}
+do
+    echo "Syncing host: $host"
+    rsync -avogp --delete -e "ssh -i '${sshkey}'" \
+          --chown 81001:81001 --chmod=D2700,F600 \
+          "${flist[@]}" \
+          "root@${host}:${dst}/"
+done
+
+popd
+########################################################################
+# end of file