diff --git a/Makefile b/Makefile
index a5a06e2391..f784ba5caf 100644
--- a/Makefile
+++ b/Makefile
@@ -18,7 +18,7 @@ fake-aws fake-aws-s3 fake-aws-sqs aws-ingress fluent-bit kibana backoffice		\
 calling-test demo-smtp elasticsearch-curator elasticsearch-external				\
 elasticsearch-ephemeral minio-external cassandra-external						\
 nginx-ingress-controller ingress-nginx-controller nginx-ingress-services reaper sftd restund coturn		\
-inbucket k8ssandra-test-cluster postgresql
+inbucket k8ssandra-test-cluster postgresql smallstep-accomp
 KIND_CLUSTER_NAME     := wire-server
 HELM_PARALLELISM      ?= 1 # 1 for sequential tests; 6 for all-parallel tests
 
diff --git a/changelog.d/2-features/WPB-6252 b/changelog.d/2-features/WPB-6252
new file mode 100644
index 0000000000..45fcfbc53c
--- /dev/null
+++ b/changelog.d/2-features/WPB-6252
@@ -0,0 +1 @@
+Add Helm chart `smallstep-accomp` that provides a CRL endpoint proxy for federated E2EI
diff --git a/charts/smallstep-accomp/Chart.yaml b/charts/smallstep-accomp/Chart.yaml
new file mode 100644
index 0000000000..3d7b589a7f
--- /dev/null
+++ b/charts/smallstep-accomp/Chart.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+description: Accompanying chart for Smallstep E2EI support
+name: smallstep-accomp
+version: 1.0.0
diff --git a/charts/smallstep-accomp/README.md b/charts/smallstep-accomp/README.md
new file mode 100644
index 0000000000..584e0ea988
--- /dev/null
+++ b/charts/smallstep-accomp/README.md
@@ -0,0 +1,18 @@
+This Helm chart installs a reverse proxy that proxies the Certificate Revocation List (CRL) Distribution Point of the Smallstep servers CRL Certificate Authority (CA) from federating domains and the own domain. It is required to be installed alongside the Smallstep helm chart.
+
+The Helm chart deploys a nginx server that reverse-proxies `https://<nginx.ingress.hostname>/proxyCrl/<other_acme_domain>` to `http://{other_acme_domain}/crl` (note: http, not https) as well as an ingress for the `/proxyCrl` endpoint. For example if `upstreams.proxiedHosts` is set to `[acme.alpha.example.com, acme.beta.example.com]` and the host for the Smallstep server on the own domain is `acme.alpha.example.com` this helm chart will forward requests
+
+- `https://acme.alpha.example.com/proxyCrl/acme.alpha.example.com` to `http://acme.alpha.example.com/crl`
+- `https://acme.alpha.example.com/proxyCrl/acme.beta.example.com` to `http://acme.beta.example.com/crl`
+
+## Parameters
+
+| Name                      | Description                                                                               |
+| ------------------------- | ----------------------------------------------------------------------------------------- |
+| `upstreams.enable`        | Set to `false` in case you want to write custom nginx server block for the upstream rules |
+| `upstreams.dnsResolver`   | DNS server that nginx uses to resolve the proxied hostnames                               |
+| `upstreams.proxiedHosts`  | List of smallstep hostnames to proxy. Please also include the own smallstep host here     |
+| `nginx.ingress.enable`    | Set to `false` in case you'd like to define a custom ingress for the /proxyCrl endpoint  |
+| `nginx.ingress.hostname`  | Hostname of the Smallstep server                                                          |
+
+For more details on `nginx.*` parameters see README.md documentation in the `nginx` dependency chart.
diff --git a/charts/smallstep-accomp/requirements.yaml b/charts/smallstep-accomp/requirements.yaml
new file mode 100644
index 0000000000..e9d0780c6e
--- /dev/null
+++ b/charts/smallstep-accomp/requirements.yaml
@@ -0,0 +1,4 @@
+dependencies:
+- name: nginx
+  version: 15.10.4
+  repository: https://charts.bitnami.com/bitnami
diff --git a/charts/smallstep-accomp/templates/server-block-configmap.yaml b/charts/smallstep-accomp/templates/server-block-configmap.yaml
new file mode 100644
index 0000000000..da483f86e4
--- /dev/null
+++ b/charts/smallstep-accomp/templates/server-block-configmap.yaml
@@ -0,0 +1,30 @@
+{{- if and .Values.upstreams.enable .Values.nginx.existingServerBlockConfigmap }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Values.nginx.existingServerBlockConfigmap }}
+  labels:
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+data:
+  server.conf: |
+    resolver {{ .Values.upstreams.dnsResolver }};
+
+    server {
+      listen 0.0.0.0:8080;
+
+      {{- range .Values.upstreams.proxiedHosts }}
+
+      location /proxyCrl/{{ . }} {
+        proxy_redirect off;
+        proxy_set_header X-Forwarded-Host $http_host;
+        proxy_set_header Host {{ . }};
+        proxy_hide_header Content-Type;
+        add_header Content-Type application/pkix-crl;
+        proxy_pass "http://{{ . }}/crl";
+      }
+
+      {{- end }}
+    }
+{{- end }}
diff --git a/charts/smallstep-accomp/values.yaml b/charts/smallstep-accomp/values.yaml
new file mode 100644
index 0000000000..a0885b76f7
--- /dev/null
+++ b/charts/smallstep-accomp/values.yaml
@@ -0,0 +1,29 @@
+upstreams:
+  enable: true
+  # dnsResolver: 9.9.9.9
+  
+  # Note: include the smallstep host of the own domain here as well
+  proxiedHosts: []
+  # proxiedHosts: 
+  #   - acme.alpha.example.com
+  #   - acme.beta.example.com
+  #   - acme.gamma.example.com
+
+nginx:
+  existingServerBlockConfigmap: "smallstep-accomp-server-block"
+
+  service:
+    type: ClusterIP
+
+  ingress:
+    enabled: true
+    # ingressClassName: "nginx"
+
+    # hostname: "acme.alpha.example.com"
+    path: "/proxyCrl"
+    pathType: "Prefix"
+      
+    # extraTls: 
+    #   - 
+    #     hosts: [ "acme.alpha.example.com" ]
+    #     secretName: "smallstep-step-certificates-ingress-cert"