diff --git a/deploy/cert-manager/ca-cert-generator-role-binding.yml b/deploy/cert-manager/ca-cert-generator-role-binding.yml
new file mode 100644
index 0000000000..34f3a72fc7
--- /dev/null
+++ b/deploy/cert-manager/ca-cert-generator-role-binding.yml
@@ -0,0 +1,14 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: ca-cert-generator-role-binding
+  namespace: cert-manager
+subjects:
+- kind: ServiceAccount
+  name: ca-cert-generator
+  apiGroup: ''
+roleRef:
+  kind: Role
+  name: ca-cert-generator-role
+  apiGroup: ''
diff --git a/deploy/cert-manager/ca-cert-generator-role.yml b/deploy/cert-manager/ca-cert-generator-role.yml
new file mode 100644
index 0000000000..b4fda8e4c1
--- /dev/null
+++ b/deploy/cert-manager/ca-cert-generator-role.yml
@@ -0,0 +1,13 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: ca-cert-generator-role
+  namespace: cert-manager
+rules:
+- apiGroups:
+    - ''
+  resources:
+    - secrets
+  verbs:
+    - create
diff --git a/deploy/cert-manager/che-certificate.yml b/deploy/cert-manager/che-certificate.yml
new file mode 100644
index 0000000000..e624ff4f12
--- /dev/null
+++ b/deploy/cert-manager/che-certificate.yml
@@ -0,0 +1,16 @@
+---
+apiVersion: cert-manager.io/v1alpha2
+kind: Certificate
+metadata:
+  name: che-certificate
+  namespace: che
+spec:
+  secretName: che-tls
+  issuerRef:
+    name: che-cluster-issuer
+    kind: ClusterIssuer
+  # This is a template and it will be set from --domain parameter
+  # For example: '*.192.168.99.100.nip.io'
+  commonName: '*.<domain>'
+  dnsNames:
+    - '*.<domain>'
diff --git a/deploy/cert-manager/che-cluster-issuer.yml b/deploy/cert-manager/che-cluster-issuer.yml
new file mode 100644
index 0000000000..488fdb0821
--- /dev/null
+++ b/deploy/cert-manager/che-cluster-issuer.yml
@@ -0,0 +1,9 @@
+---
+apiVersion: cert-manager.io/v1alpha2
+kind: ClusterIssuer
+metadata:
+  name: che-cluster-issuer
+  namespace: cert-manager
+spec:
+  ca:
+    secretName: ca