diff --git a/cert-manager/issuer-production.yml b/cert-manager/issuer-production.yml
index 48993e3..ce225bc 100644
--- a/cert-manager/issuer-production.yml
+++ b/cert-manager/issuer-production.yml
@@ -1,3 +1,5 @@
+# Legacy issuer that is not managed by Kustomize.
+# For new certificates, prefer prod/clusterissuer.yaml.
 apiVersion: cert-manager.io/v1
 kind: ClusterIssuer
 metadata:
diff --git a/cert-manager/issuer-staging.yml b/cert-manager/issuer-staging.yml
index 2c55951..d5aca6b 100644
--- a/cert-manager/issuer-staging.yml
+++ b/cert-manager/issuer-staging.yml
@@ -1,3 +1,5 @@
+# Legacy issuer that is not managed by Kustomize.
+# For new certificates, add staging/clusterissuer.yaml.
 apiVersion: cert-manager.io/v1
 kind: ClusterIssuer
 metadata:
diff --git a/deploy/prod/clusterissuer-staging.yaml b/deploy/prod/clusterissuer-staging.yaml
new file mode 100644
index 0000000..32ace51
--- /dev/null
+++ b/deploy/prod/clusterissuer-staging.yaml
@@ -0,0 +1,27 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-staging
+spec:
+  acme:
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    email: postmaster@netflux.io
+    privateKeySecretRef:
+      name: prod-letsencrypt-staging
+    solvers:
+    - http01:
+        ingress:
+          class: prod-nginx
+    - dns01:
+        route53:
+          region: eu-west-1
+          hostedZoneID: Z1OSEC2E6M9VER
+          accessKeyID: AKIARZPRT6YGHAENBEEX
+          secretAccessKeySecretRef:
+            # Using name reference transformers to manage this didn't work,
+            # probably because ClusterIssuer is a cluster-scoped resource.
+            #
+            # For now, this secret should be provisioned manually in the
+            # cert-manager namespace:
+            name: prod-aws-credentials
+            key: secret
diff --git a/deploy/prod/clusterissuer.yaml b/deploy/prod/clusterissuer.yaml
new file mode 100644
index 0000000..6c2a570
--- /dev/null
+++ b/deploy/prod/clusterissuer.yaml
@@ -0,0 +1,27 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    email: postmaster@netflux.io
+    privateKeySecretRef:
+      name: prod-letsencrypt
+    solvers:
+    - http01:
+        ingress:
+          class: prod-nginx
+    - dns01:
+        route53:
+          region: eu-west-1
+          hostedZoneID: Z1OSEC2E6M9VER
+          accessKeyID: AKIARZPRT6YGHAENBEEX
+          secretAccessKeySecretRef:
+            # Using name reference transformers to manage this didn't work,
+            # possibly because ClusterIssuer is a cluster-scoped resource.
+            #
+            # For now, this secret should be provisioned manually in the
+            # cert-manager namespace:
+            name: prod-aws-credentials
+            key: secret
diff --git a/deploy/prod/kustomization.yaml b/deploy/prod/kustomization.yaml
index 3ba838a..62fafdf 100644
--- a/deploy/prod/kustomization.yaml
+++ b/deploy/prod/kustomization.yaml
@@ -4,7 +4,8 @@ resources:
 - svc-db.yaml
 - svc-netflux.yaml
 - cm-ingress-nginx-tcp-services.yaml
-
+- clusterissuer.yaml
+- clusterissuer-staging.yaml
 configMapGenerator:
 - name: prometheus-server
   behavior: merge
@@ -98,10 +99,6 @@ secretGenerator:
   options:
     labels:
       app: solar-toolkit-gateway
-- name: aws-credentials
-  files:
-  - key=secrets/aws-access-key-id
-  - secret=secrets/aws-secret-access-key
 
 patches:
 # Patch the ingress-nginx deployment to allow it to use a service with a