diff --git a/porch/build/Dockerfile.porch b/porch/build/Dockerfile.porch
index 8163f2ddc4..7ac46f408b 100644
--- a/porch/build/Dockerfile.porch
+++ b/porch/build/Dockerfile.porch
@@ -55,5 +55,13 @@ RUN cd porch; go build -v -o /porch ./cmd/porch
 
 FROM debian:bookworm-slim
 RUN apt update && apt install -y ca-certificates && apt install -y git && rm -rf /var/lib/apt && rm -rf /var/cache/apt
-COPY --from=builder /porch /porch
-ENTRYPOINT ["/porch"]
+
+RUN useradd -s /bin/bash -d /home/porch/ -m -u 1999 porch
+WORKDIR /home/porch
+
+COPY --from=builder /porch /home/porch/porch
+RUN chown porch:porch /home/porch/porch; chmod +x /home/porch/porch
+
+USER porch
+
+ENTRYPOINT ["/home/porch/porch"]
diff --git a/porch/deployments/porch/3-porch-server.yaml b/porch/deployments/porch/3-porch-server.yaml
index 8e18c2ae5d..f4c79388c3 100644
--- a/porch/deployments/porch/3-porch-server.yaml
+++ b/porch/deployments/porch/3-porch-server.yaml
@@ -40,6 +40,8 @@ spec:
           emptyDir: {}
         - name: webhook-certs
           emptyDir: {}
+        - name: api-server-certs
+          emptyDir: {}
       containers:
         - name: porch-server
           # Update image to the image of your porch apiserver build.
@@ -56,6 +58,8 @@ spec:
               name: cache-volume
             - mountPath: /etc/webhook/certs
               name: webhook-certs
+            - name: api-server-certs
+              mountPath: /tmp/certs
           env:
           # Uncomment to enable trace-reporting to jaeger
           #- name: OTEL
@@ -67,6 +71,8 @@ spec:
           args:
             - --function-runner=function-runner:9445
             - --cache-directory=/cache
+            - --cert-dir=/tmp/certs
+            - --secure-port=4443
 
 ---
 apiVersion: v1
@@ -78,7 +84,7 @@ spec:
   ports:
     - port: 443
       protocol: TCP
-      targetPort: 443
+      targetPort: 4443
       name: api
     - port: 8443
       protocol: TCP