diff --git a/cert-manager/base/cloudflare-clusterissuer.yaml b/cert-manager/base/cloudflare-clusterissuer.yaml
new file mode 100644
index 0000000..2854cef
--- /dev/null
+++ b/cert-manager/base/cloudflare-clusterissuer.yaml
@@ -0,0 +1,13 @@
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: cloudflare-issuer
+spec:
+  acme:
+    solvers:
+    - dns01:
+        cloudflare:
+          apiTokenSecretRef:
+            name: cloudflare-api-token-secret
+            key: api-token
diff --git a/cert-manager/base/mziesel-ca.yaml b/cert-manager/base/mziesel-ca.yaml
index 41d6c84..44900e1 100644
--- a/cert-manager/base/mziesel-ca.yaml
+++ b/cert-manager/base/mziesel-ca.yaml
@@ -28,3 +28,4 @@ metadata:
 spec:
   ca:
     secretName: mziesel-root-secret
+
diff --git a/cert-manager/kustomization.yaml b/cert-manager/kustomization.yaml
index a808203..aa18237 100644
--- a/cert-manager/kustomization.yaml
+++ b/cert-manager/kustomization.yaml
@@ -6,3 +6,5 @@ namespace: cert-manager
 resources:
   - https://github.com/cert-manager/cert-manager/releases/download/v1.16.1/cert-manager.yaml
   - ./base/mziesel-ca.yaml
+  - ./secret_nocommit/cloudflare-api-token-secret.yaml
+  - ./base/cloudflare-clusterissuer.yaml