diff --git a/cert-manager/sealedsecret-cloudflare-api-key.yaml b/cert-manager/sealedsecret-cloudflare-api-key.yaml
new file mode 100644
index 0000000..1b1d8d6
--- /dev/null
+++ b/cert-manager/sealedsecret-cloudflare-api-key.yaml
@@ -0,0 +1,21 @@
+{
+  "kind": "SealedSecret",
+  "apiVersion": "bitnami.com/v1alpha1",
+  "metadata": {
+    "name": "cloudflare-api-key",
+    "namespace": "cert-manager",
+    "creationTimestamp": null
+  },
+  "spec": {
+    "template": {
+      "metadata": {
+        "name": "cloudflare-api-key",
+        "namespace": "cert-manager",
+        "creationTimestamp": null
+      }
+    },
+    "encryptedData": {
+      "cloudflare_api_key": "AgChqWD0JHDwnlg+U+O3Yl0acYIeDnekCj1gRu1kQVFIIukO0rZxxgwDBwB1FAnK7+H/tZsoQCLg+YRmmzqXW7fcxsvad7Ba35JFZnXXc4heCji1FeTZm9M8lLKPXsr/jSV2d2md4BFXxeHBwQtq6Km5OsPkeGiUGVo09w7q0dBhp7wcJ6Dgu3m2c2x8hQKVz0zR4AreMBRwmCw7x/dXPmoCuz/dRQzbQGZ57Z0nZ/4OWF/YBv8NYzjK7//R9QKMGXJJ28NcrXv06v/0CNtVoADbue/kD4d1a9MTBojkHSNvd8CIsIFSnBDPYP4ApnmGBiirfnVJ//AE7iVSCtl96SR9pwqFnE2xCXaAGBlWLVebCGx45W0q3qbC6isZbQLjdekQNu4LDjMs5QQVUM7/+6SusxKJrFbNEyKpWjV6IDQBaZTMkO3gTAq3ZRXGoiLy/FZZihudGa8bym7GJGkl0ZVb8hpkUBiNp3cHQFizdCMVF/3ebjmn0Mf250Kg0J6iymECZ2IdHsjjmRYyJv3Mi7wWdiCG8nOhUwwi1/379rjkbPSZadng/MmgDc8p1IhIFiaLaXTHwr3ZYtQOXpdzAQGJXtIYX4ZO5CFwoCf3UDneCjEntJwi9htaH+KtZFx2Um4LTChsTKEk4D4f64vj7a5k7neSwgpZYZg7DncAubbqKY5vgGuZlT2KMkJPs45LNO713Rf48pom/ZAxWJz6b52r+T0UYhZeF/Ffb1Kw1jrJzENu8ONj"
+    }
+  }
+}
diff --git a/letsencrypt-wildcard-cert/certificate-wildcard-cert-letsencrypt-staging.yaml b/letsencrypt-wildcard-cert/certificate-wildcard-cert-letsencrypt-staging.yaml
new file mode 100644
index 0000000..c539430
--- /dev/null
+++ b/letsencrypt-wildcard-cert/certificate-wildcard-cert-letsencrypt-staging.yaml
@@ -0,0 +1,14 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: letsencrypt-wildcard-cert-michaelthomson.dev-staging
+  namespace: letsencrypt-wildcard-cert
+spec:
+  # secretName doesn't have to match the certificate name, but it may as well, for simplicity!
+  secretName: letsencrypt-wildcard-cert-michaelthomson.dev-staging 
+  issuerRef:
+    name: letsencrypt-staging
+    kind: ClusterIssuer
+  dnsNames:
+    - "michaelthomson.dev"
+    - "*.michaelthomson.dev"