diff --git a/traefik/base/003-certificates.yaml b/traefik/base/003-certificates.yaml
new file mode 100644
index 0000000..da0be83
--- /dev/null
+++ b/traefik/base/003-certificates.yaml
@@ -0,0 +1,35 @@
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: mziesel-nl-wildcard-cert
+spec:
+  secretName: mziesel-nl-wildcard-cert-secret
+  issuerRef:
+    name: cloudflare-issuer
+    kind: ClusterIssuer
+  dnsNames:
+    - mziesel.nl
+    - *.mziesel.nl
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: mziesel-com-wildcard-cert
+spec:
+  secretName: mziesel-com-wildcard-cert-secret
+  issuerRef:
+    name: cloudflare-issuer
+    kind: ClusterIssuer
+  dnsNames:
+    - mziesel.com
+    - *.mziesel.com
+---
+apiVersion: traefik.io/v1alpha1
+kind: TLSStore
+metadata:
+  name: default
+spec:
+  certificates:
+    - secretName: mziesel-nl-wildcard-cert-secret
+    - secretName: mziesel-com-wildcard-cert-secret
diff --git a/traefik/kustomization.yaml b/traefik/kustomization.yaml
index 403fbbb..d1cc759 100644
--- a/traefik/kustomization.yaml
+++ b/traefik/kustomization.yaml
@@ -11,3 +11,4 @@ resources:
 - ./base/002-traefik.yaml
 - ./base/002-traefik-services.yaml
 - https://raw.githubusercontent.com/traefik/traefik/v3.1/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
+- ./base/003-certificates.yaml
diff --git a/whoami/base/whoami-ingress.yaml b/whoami/base/whoami-ingress.yaml
index 8183e43..abfac8e 100644
--- a/whoami/base/whoami-ingress.yaml
+++ b/whoami/base/whoami-ingress.yaml
@@ -22,5 +22,5 @@ spec:
     services:
     - name: whoami
       port: web
-  tls:
-    secretName: whoami.mziesel.nl-secret
+  tls: {}
+    #   secretName: whoami.mziesel.nl-secret