diff --git a/pkg/utils/tls/crypt.go b/pkg/utils/tls/crypt.go
index b638e7c2..b9910f55 100644
--- a/pkg/utils/tls/crypt.go
+++ b/pkg/utils/tls/crypt.go
@@ -228,7 +228,7 @@ func ParseEncodedKey(keyDataEncoded, keyFile string) (*rsa.PrivateKey, error) {
 		if err != nil {
 			return nil, err
 		}
-		if keyFile != "" {
+		if keyFile != "" && !paths.CheckFileExist(keyFile) {
 			if err = WritePrivateKeyToFile(key, keyFile); err != nil {
 				return nil, err
 			}
diff --git a/scripts/deploy/deploy.sh b/scripts/deploy/deploy.sh
index 01042f39..e0f75621 100755
--- a/scripts/deploy/deploy.sh
+++ b/scripts/deploy/deploy.sh
@@ -303,7 +303,7 @@ function deploy_autonomy() {
     mount_flag=$(generate_mount_flag)
     host_ip=$(getIPV4Address)
     # TODO: to be remove
-    docker run -it --rm -v ${conf_dir}:/tmp ${KUSCIA_IMAGE} scripts/deploy/init_kuscia_config.sh autonomy ${DOMAIN_ID} "" "" ${ALLOW_PRIVILEGED}
+    docker run -it --rm -v ${conf_dir}:/tmp -v ${DOMAIN_CERTS_DIR}:${CTR_CERT_ROOT} ${KUSCIA_IMAGE} scripts/deploy/init_kuscia_config.sh autonomy ${DOMAIN_ID} "" "" ${ALLOW_PRIVILEGED}
 
     docker run -dit --privileged --name="${domain_ctr}" --hostname="${domain_ctr}" --restart=always --network=${NETWORK_NAME} -m ${AUTONOMY_MEMORY_LIMIT} \
       -p "${DOMAIN_HOST_PORT}":1080 \
@@ -352,7 +352,7 @@ function deploy_lite() {
 
     host_ip=$(getIPV4Address)
     # TODO: to be remove
-    docker run -it --rm -v ${conf_dir}:/tmp ${KUSCIA_IMAGE} scripts/deploy/init_kuscia_config.sh lite ${DOMAIN_ID} ${MASTER_ENDPOINT} ${DOMAIN_TOKEN} ${ALLOW_PRIVILEGED}
+    docker run -it --rm -v ${conf_dir}:/tmp -v ${DOMAIN_CERTS_DIR}:${CTR_CERT_ROOT} ${KUSCIA_IMAGE} scripts/deploy/init_kuscia_config.sh lite ${DOMAIN_ID} ${MASTER_ENDPOINT} ${DOMAIN_TOKEN} ${ALLOW_PRIVILEGED}
     # TODO end
 
     docker run -dit --privileged --name="${domain_ctr}" --hostname="${domain_ctr}" --restart=always --network=${NETWORK_NAME} -m $LITE_MEMORY_LIMIT \
@@ -390,7 +390,7 @@ function deploy_master() {
     host_ip=$(getIPV4Address)
 
     # TODO: to be remove
-    docker run -it --rm -v ${conf_dir}:/tmp ${KUSCIA_IMAGE} scripts/deploy/init_kuscia_config.sh master $master_domain_id
+    docker run -it --rm -v ${conf_dir}:/tmp -v ${DOMAIN_CERTS_DIR}:${CTR_CERT_ROOT} ${KUSCIA_IMAGE} scripts/deploy/init_kuscia_config.sh master $master_domain_id
 
     docker run -dit --name="${domain_ctr}" --hostname="${domain_ctr}" --restart=always --network=${NETWORK_NAME} -m ${MASTER_MEMORY_LIMIT} \
       --env NAMESPACE=${master_domain_id} \
diff --git a/scripts/deploy/init_kuscia_config.sh b/scripts/deploy/init_kuscia_config.sh
index 9ec65e0d..fc60b89f 100755
--- a/scripts/deploy/init_kuscia_config.sh
+++ b/scripts/deploy/init_kuscia_config.sh
@@ -34,7 +34,14 @@ agent:
   allowPrivileged: true
 "
 
-DOMAIN_KEY_DATA=$(openssl genrsa 2048 | base64 | tr -d "\n")
+DOMAIN_KEY_FILE="/home/kuscia/var/certs/domain.key"
+if [[ -e ${DOMAIN_KEY_FILE} ]]; then
+  echo -e "Domain key file already exists"
+  DOMAIN_KEY_DATA=$(base64 -i ${DOMAIN_KEY_FILE} | tr -d "\n")
+else
+  echo -e "Generate key data"
+  DOMAIN_KEY_DATA=$(openssl genrsa 2048 | base64 | tr -d "\n")
+fi
 
 if [[ $MODE == "lite" ]]; then
   CONFIG_DATA=$(sed -e "s!{{.DOMAIN_ID}}!${DOMAIN_ID}!g;