diff --git a/cmd/certspotter/main.go b/cmd/certspotter/main.go
index 8d5e1c8..420a6ad 100644
--- a/cmd/certspotter/main.go
+++ b/cmd/certspotter/main.go
@@ -89,6 +89,13 @@ func defaultConfigDir() string {
 		return filepath.Join(homedir(), ".certspotter")
 	}
 }
+func defaultCacheDir() string {
+	userCacheDir, err := os.UserCacheDir()
+	if err != nil {
+		panic(fmt.Errorf("unable to determine user cache directory: %w", err))
+	}
+	return filepath.Join(userCacheDir, "certspotter")
+}
 func defaultWatchListPath() string {
 	return filepath.Join(defaultConfigDir(), "watchlist")
 }
@@ -192,6 +199,7 @@ func main() {
 
 	fsstate := &monitor.FilesystemState{
 		StateDir:  flags.stateDir,
+		CacheDir:  defaultCacheDir(),
 		SaveCerts: !flags.noSave,
 		Script:    flags.script,
 		ScriptDir: defaultScriptDir(),
diff --git a/monitor/fsstate.go b/monitor/fsstate.go
index 970f4fe..b23ae18 100644
--- a/monitor/fsstate.go
+++ b/monitor/fsstate.go
@@ -28,6 +28,7 @@ import (
 
 type FilesystemState struct {
 	StateDir  string
+	CacheDir  string
 	SaveCerts bool
 	Script    string
 	ScriptDir string
@@ -40,7 +41,13 @@ func (s *FilesystemState) logStateDir(logID LogID) string {
 }
 
 func (s *FilesystemState) Prepare(ctx context.Context) error {
-	return prepareStateDir(s.StateDir)
+	if err := prepareStateDir(s.StateDir); err != nil {
+		return err
+	}
+	if err := prepareCacheDir(s.CacheDir); err != nil {
+		return err
+	}
+	return nil
 }
 
 func (s *FilesystemState) PrepareLog(ctx context.Context, logID LogID) error {
@@ -94,12 +101,12 @@ func (s *FilesystemState) RemoveSTH(ctx context.Context, logID LogID, sth *cttyp
 }
 
 func (s *FilesystemState) StoreIssuer(ctx context.Context, fingerprint *[32]byte, issuer []byte) error {
-	filePath := filepath.Join(s.StateDir, "issuers", hex.EncodeToString(fingerprint[:]))
+	filePath := filepath.Join(s.CacheDir, "issuers", hex.EncodeToString(fingerprint[:]))
 	return writeFile(filePath, issuer, 0666)
 }
 
 func (s *FilesystemState) LoadIssuer(ctx context.Context, fingerprint *[32]byte) ([]byte, error) {
-	filePath := filepath.Join(s.StateDir, "issuers", hex.EncodeToString(fingerprint[:]))
+	filePath := filepath.Join(s.CacheDir, "issuers", hex.EncodeToString(fingerprint[:]))
 	issuer, err := os.ReadFile(filePath)
 	if errors.Is(err, fs.ErrNotExist) {
 		return nil, nil
diff --git a/monitor/statedir.go b/monitor/statedir.go
index 534f48d..a163a7d 100644
--- a/monitor/statedir.go
+++ b/monitor/statedir.go
@@ -145,7 +145,7 @@ func prepareStateDir(stateDir string) error {
 		return fmt.Errorf("%s was created by a newer version of certspotter; upgrade to the latest version of certspotter or remove this directory to start from scratch", stateDir)
 	}
 
-	for _, subdir := range []string{"certs", "logs", "healthchecks", "issuers"} {
+	for _, subdir := range []string{"certs", "logs", "healthchecks"} {
 		if err := os.Mkdir(filepath.Join(stateDir, subdir), 0777); err != nil && !errors.Is(err, fs.ErrExist) {
 			return err
 		}
@@ -153,3 +153,15 @@ func prepareStateDir(stateDir string) error {
 
 	return nil
 }
+
+func prepareCacheDir(cacheDir string) error {
+	if err := os.MkdirAll(cacheDir, 0777); err != nil {
+		return err
+	}
+	for _, subdir := range []string{"issuers"} {
+		if err := os.Mkdir(filepath.Join(cacheDir, subdir), 0777); err != nil && !errors.Is(err, fs.ErrExist) {
+			return err
+		}
+	}
+	return nil
+}