diff --git a/config/configStructs/tapConfig.go b/config/configStructs/tapConfig.go
index c6a4b7029..3e7ca86e1 100644
--- a/config/configStructs/tapConfig.go
+++ b/config/configStructs/tapConfig.go
@@ -85,10 +85,11 @@ type AuthConfig struct {
 }
 
 type IngressConfig struct {
-	Enabled bool                    `yaml:"enabled" default:"false"`
-	Host    string                  `yaml:"host" default:"ks.svc.cluster.local"`
-	TLS     []networking.IngressTLS `yaml:"tls"`
-	Auth    AuthConfig              `yaml:"auth"`
+	Enabled     bool                    `yaml:"enabled" default:"false"`
+	Host        string                  `yaml:"host" default:"ks.svc.cluster.local"`
+	TLS         []networking.IngressTLS `yaml:"tls"`
+	Auth        AuthConfig              `yaml:"auth"`
+	CertManager string                  `yaml:"certManager" default:"letsencrypt-prod"`
 }
 
 type TapConfig struct {
diff --git a/kubernetes/provider.go b/kubernetes/provider.go
index 09c9aabf0..f2ec5db4e 100644
--- a/kubernetes/provider.go
+++ b/kubernetes/provider.go
@@ -587,6 +587,7 @@ func (provider *Provider) BuildIngress() *networking.Ingress {
 			}, provider),
 			Annotations: map[string]string{
 				"nginx.ingress.kubernetes.io/rewrite-target": "/$2",
+				"certmanager.k8s.io/cluster-issuer":          config.Config.Tap.Ingress.CertManager,
 			},
 		},
 		Spec: networking.IngressSpec{
diff --git a/manifests/tls/certificate.yaml b/manifests/tls/certificate.yaml
new file mode 100644
index 000000000..c3dedbe3f
--- /dev/null
+++ b/manifests/tls/certificate.yaml
@@ -0,0 +1,12 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: staging
+  namespace: default
+spec:
+  issuerRef:
+    name: letsencrypt-prod
+    kind: ClusterIssuer
+  secretName: cert-testing
+  dnsNames:
+  - ks.svc.cluster.local
diff --git a/manifests/tls/cluster-issuer.yaml b/manifests/tls/cluster-issuer.yaml
new file mode 100644
index 000000000..cbb50cd02
--- /dev/null
+++ b/manifests/tls/cluster-issuer.yaml
@@ -0,0 +1,14 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-prod
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    email: info@kubeshark.com
+    privateKeySecretRef:
+      name: letsencrypt-prod-key
+    solvers:
+    - http01:
+        ingress:
+          class: kubeshark-ingress-class
diff --git a/manifests/tls/run.sh b/manifests/tls/run.sh
new file mode 100755
index 000000000..ffe1d263f
--- /dev/null
+++ b/manifests/tls/run.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+__dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+helm repo add jetstack https://charts.jetstack.io
+helm repo update
+kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.9.1/cert-manager.crds.yaml
+helm install \
+cert-manager jetstack/cert-manager \
+--namespace cert-manager \
+--create-namespace \
+--version v1.9.1
+
+kubectl apply -f ${__dir}/cluster-issuer.yaml
+kubectl apply -f ${__dir}/certificate.yaml