diff --git a/Tiltfile b/Tiltfile
index 3156ca9..6ef80a1 100644
--- a/Tiltfile
+++ b/Tiltfile
@@ -30,6 +30,20 @@ helm_remote('cilium',
             repo_url='https://helm.cilium.io')
 k8s_yaml('./test/cilium/dual-stack/crd-values.yaml')
 
+# Cert-manager
+helm_remote('cert-manager',
+            version="v1.15.3",
+            namespace="kube-system",
+            repo_name='jetstack',
+            set=['crds.enabled=true'],
+            repo_url='https://charts.jetstack.io')
+k8s_yaml('./test/cert-manager/clusterIssuer.yaml')
+
+helm_remote('cert-manager-webhook-pinax',
+            version="0.1.0",
+            namespace="kube-system",
+            repo_name='oci://ghcr.io/pinax-network/charts',
+            set=['certManager.namespace=kube-system'])
 
 # CoreDNS with updated RBAC
 k8s_yaml(helm(
@@ -82,3 +96,4 @@ k8s_yaml('./test/gateway-api/resources.yml')
 k8s_yaml('./test/gatewayclasses.yaml')
 k8s_yaml('./test/dual-stack/service-annotation.yml')
 k8s_yaml('./test/dual-stack/ingress-services.yml')
+k8s_yaml('./test/dual-stack/certificate.yaml')
diff --git a/test/cert-manager/clusterIssuer.yaml b/test/cert-manager/clusterIssuer.yaml
new file mode 100644
index 0000000..6702e47
--- /dev/null
+++ b/test/cert-manager/clusterIssuer.yaml
@@ -0,0 +1,16 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-dns-01
+spec:
+  acme:
+    # Use Let's Encrypt staging server
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    email: guillaume@pinax.network
+    privateKeySecretRef:
+      name: letsencrypt-staging
+    solvers:
+      - dns01:
+          webhook:
+            groupName: acme.pinax.io
+            solverName: pinax-webhook-solver
diff --git a/test/dual-stack/certificate.yaml b/test/dual-stack/certificate.yaml
new file mode 100644
index 0000000..f4e914b
--- /dev/null
+++ b/test/dual-stack/certificate.yaml
@@ -0,0 +1,12 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: myservicea-cert
+  namespace: default
+spec:
+  secretName: my-service-cert-secret
+  issuerRef:
+    name: letsencrypt-dns-01 # ClusterIssuer or Issuer name
+    kind: ClusterIssuer # Or Issuer, depending on your configuration
+  dnsNames:
+    - myservicea.foo.org
diff --git a/test/single-stack/certificate.yaml b/test/single-stack/certificate.yaml
new file mode 100644
index 0000000..f4e914b
--- /dev/null
+++ b/test/single-stack/certificate.yaml
@@ -0,0 +1,12 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: myservicea-cert
+  namespace: default
+spec:
+  secretName: my-service-cert-secret
+  issuerRef:
+    name: letsencrypt-dns-01 # ClusterIssuer or Issuer name
+    kind: ClusterIssuer # Or Issuer, depending on your configuration
+  dnsNames:
+    - myservicea.foo.org