diff --git a/kubernetes/teyvat/apps/network/nginx/certificates/certificates.yaml b/kubernetes/teyvat/apps/network/nginx/certificates/certificates.yaml
index bc0a2540e5..c8f5f9427c 100644
--- a/kubernetes/teyvat/apps/network/nginx/certificates/certificates.yaml
+++ b/kubernetes/teyvat/apps/network/nginx/certificates/certificates.yaml
@@ -6,7 +6,7 @@ metadata:
 spec:
   secretName: "${SECRET_DOMAIN}-tls"
   issuerRef:
-    name: letsencrypt-staging
+    name: letsencrypt-production
     kind: ClusterIssuer
   commonName: "${SECRET_DOMAIN}"
   dnsNames:
diff --git a/kubernetes/teyvat/apps/network/nginx/certificates/kustomization.yaml b/kubernetes/teyvat/apps/network/nginx/certificates/kustomization.yaml
index 794280df35..196559c910 100644
--- a/kubernetes/teyvat/apps/network/nginx/certificates/kustomization.yaml
+++ b/kubernetes/teyvat/apps/network/nginx/certificates/kustomization.yaml
@@ -3,4 +3,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - ./certificates.yaml
+  # - ./certificates.yaml
+  - ./staging.yaml
diff --git a/kubernetes/teyvat/apps/network/nginx/certificates/staging.yaml b/kubernetes/teyvat/apps/network/nginx/certificates/staging.yaml
new file mode 100644
index 0000000000..9c86942517
--- /dev/null
+++ b/kubernetes/teyvat/apps/network/nginx/certificates/staging.yaml
@@ -0,0 +1,14 @@
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: "${SECRET_DOMAIN/./-}-staging"
+spec:
+  secretName: "${SECRET_DOMAIN/./-}-staging-tls"
+  issuerRef:
+    name: letsencrypt-staging
+    kind: ClusterIssuer
+  commonName: "${SECRET_DOMAIN}"
+  dnsNames:
+    - "${SECRET_DOMAIN}"
+    - "*.${SECRET_DOMAIN}"