diff --git a/kubernetes/apps/cert-manager/cert-manager.yaml b/kubernetes/apps/cert-manager/cert-manager.yaml
index 3c35f24..591ffe1 100644
--- a/kubernetes/apps/cert-manager/cert-manager.yaml
+++ b/kubernetes/apps/cert-manager/cert-manager.yaml
@@ -63,4 +63,56 @@ spec:
   postBuild:
     substituteFrom:
       - kind: Secret
-        name: clusterissuer-secrets
\ No newline at end of file
+        name: clusterissuer-secrets
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: certificate-secrets
+  namespace: cert-manager
+spec:
+  interval: 10m
+  timeout: 1m30s
+  retryInterval: 30s
+  targetNamespace: cert-manager
+  path: ./certificates
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    namespace: flux-system
+    name: home-cluster-ops-secrets
+  dependsOn:
+    - name: repositories
+      namespace: flux-system
+  decryption:
+    provider: sops
+    secretRef:
+      name: cert-manager-sops-age
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: certificates
+  namespace: cert-manager
+spec:
+  interval: 10m
+  timeout: 1m30s
+  retryInterval: 30s
+  targetNamespace: cert-manager
+  path: ./kubernetes/apps/cert-manager/certificates
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    namespace: flux-system
+    name: flux-system
+  dependsOn:
+    - name: certificate-secrets
+      namespace: cert-manager
+    - name: cert-manager
+      namespace: cert-manager
+    - name: clusterissuer
+      namespace: cert-manager
+  postBuild:
+    substituteFrom:
+      - kind: Secret
+        name: certificate-secrets
\ No newline at end of file
diff --git a/kubernetes/apps/cert-manager/clusterissuer/adguard-home.yaml b/kubernetes/apps/cert-manager/certificates/adguard-home.yaml
similarity index 85%
rename from kubernetes/apps/cert-manager/clusterissuer/adguard-home.yaml
rename to kubernetes/apps/cert-manager/certificates/adguard-home.yaml
index f1faea8..3d44f60 100644
--- a/kubernetes/apps/cert-manager/clusterissuer/adguard-home.yaml
+++ b/kubernetes/apps/cert-manager/certificates/adguard-home.yaml
@@ -17,8 +17,8 @@ spec:
     pkcs12:
       create: true
       passwordSecretRef:
-        name: cert-manager-tls-keystore
-        key: ${cert_manager_tls_keystore_password}
+        name: adguard-home-tls-keystore
+        key: ${adguard_home_certificate_tls_keystore_password}
       profile: Modern2023
 
   duration: 2160h # 90d
@@ -42,12 +42,10 @@ spec:
 
   # At least one of commonName (possibly through literalSubject), dnsNames, uris, emailAddresses, ipAddresses or otherNames is required.
   dnsNames:
-    - "adguard-home.cluster.edward.sydney"
-    - "*.adguard-home.cluster.edward.sydney"
+    - "${adguard_home_certificate_dns_name}"
+    - "*.${adguard_home_certificate_dns_name}"
   emailAddresses:
-    - edward@cheng.sydney
-  ipAddresses:
-    - 192.168.0.180
+    - ${adguard_home_certificate_email}
 
   # Issuer references are always required.
   issuerRef: