diff --git a/certbot-replicate b/certbot-replicate
new file mode 100755
index 0000000..92962e3
--- /dev/null
+++ b/certbot-replicate
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+set -o errexit -o nounset -o pipefail
+
+status=0
+
+for mirror in $(cat /etc/mirrors); do
+    echo
+    echo Deploying to $mirror
+    echo
+
+    rsync -acv --delete --fsync --preallocate /etc/letsencrypt/ $mirror:/etc/letsencrypt &&
+        ssh root@$mirror nginx -s reload ||
+        status=1
+done
+
+exit $status
diff --git a/deploy-primary b/deploy-primary
new file mode 100755
index 0000000..0713a9f
--- /dev/null
+++ b/deploy-primary
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+. shared.sh
+. hosts.sh
+
+for host in ${hosts_primary[@]}; do
+    remote=root@$host
+
+    echo
+    echo $host
+    echo
+
+    rsync --chmod=F755 certbot-replicate $remote:/usr/local/bin/
+    rsync etc/systemd/system/certbot-renew.service.d/replicate.conf $remote:/etc/systemd/system/certbot-renew.service.d/
+    ssh $remote systemctl daemon-reload
+done
diff --git a/etc/systemd/system/certbot-renew.service.d/replicate.conf b/etc/systemd/system/certbot-renew.service.d/replicate.conf
new file mode 100644
index 0000000..5b7c582
--- /dev/null
+++ b/etc/systemd/system/certbot-renew.service.d/replicate.conf
@@ -0,0 +1,2 @@
+[Service]
+ExecStartPost=/usr/local/bin/certbot-replicate
diff --git a/hosts.sh b/hosts.sh
index 428230d..c4f3354 100644
--- a/hosts.sh
+++ b/hosts.sh
@@ -334,6 +334,14 @@ readonly hosts_certbot=(
     grapheneos.social
 )
 
+readonly hosts_primary=(
+    0.ns1.grapheneos.org
+    0.ns2.grapheneos.org
+    0.grapheneos.org
+    0.grapheneos.network
+    0.releases.grapheneos.org
+)
+
 readonly hosts_backup=(
     mail.grapheneos.org
     staging.attestation.app