diff --git a/config/local-setup/workloads/apicast.yaml b/config/local-setup/workloads/apicast.yaml
index 029caf89..1309f158 100644
--- a/config/local-setup/workloads/apicast.yaml
+++ b/config/local-setup/workloads/apicast.yaml
@@ -1,3 +1,27 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: apicast-staging-wildcard-cert
+spec:
+  dnsNames: ["*.REPLACE"]
+  issuerRef:
+    kind: ClusterIssuer
+    name: selfsigned-cluster-issuer
+  secretName: apicast-staging-wildcard-cert
+
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: apicast-production-wildcard-cert
+spec:
+  dnsNames: ["*.REPLACE"]
+  issuerRef:
+    kind: ClusterIssuer
+    name: selfsigned-cluster-issuer
+  secretName: apicast-production-wildcard-cert
+
+---
 apiVersion: saas.3scale.net/v1alpha1
 kind: Apicast
 metadata:
@@ -12,7 +36,7 @@ spec:
     config:
       configurationCache: 300
       threescalePortalEndpoint: "http://mapping-service/config"
-    endpoint: {dns: ['*.REPLACE']}
+    endpoint: {dns: ["*.REPLACE"]}
     hpa: {}
     loadBalancer:
       proxyProtocol: false
@@ -27,6 +51,12 @@ spec:
             proxyProtocol: false
             port: 38080
             routeConfigName: router
+        https:
+          listenerHttp:
+            proxyProtocol: false
+            certificateSecretName: apicast-production-wildcard-cert
+            port: 38443
+            routeConfigName: router
         router:
           routeConfiguration:
             virtualHosts:
@@ -62,7 +92,7 @@ spec:
     config:
       configurationCache: 60
       threescalePortalEndpoint: "http://mapping-service/config"
-    endpoint: {dns: ['*.REPLACE']}
+    endpoint: {dns: ["*.REPLACE"]}
     hpa: {}
     loadBalancer:
       proxyProtocol: false
@@ -77,6 +107,12 @@ spec:
             proxyProtocol: false
             port: 38080
             routeConfigName: router
+        https:
+          listenerHttp:
+            proxyProtocol: false
+            certificateSecretName: apicast-staging-wildcard-cert
+            port: 38443
+            routeConfigName: router
         mgmt_cluster:
           cluster:
             host: 127.0.0.1
diff --git a/config/local-setup/workloads/backend.yaml b/config/local-setup/workloads/backend.yaml
index bc311b1b..a49ad88b 100644
--- a/config/local-setup/workloads/backend.yaml
+++ b/config/local-setup/workloads/backend.yaml
@@ -1,3 +1,14 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: backend-cert
+spec:
+  dnsNames: ["REPLACE"]
+  issuerRef:
+    kind: ClusterIssuer
+    name: selfsigned-cluster-issuer
+  secretName: backend-cert
+
 ---
 apiVersion: saas.3scale.net/v1alpha1
 kind: Backend
@@ -42,6 +53,12 @@ spec:
             port: 38081
             proxyProtocol: false
             routeConfigName: router_internal
+        https:
+          listenerHttp:
+            proxyProtocol: false
+            certificateSecretName: backend-cert
+            port: 38443
+            routeConfigName: router_external
         router_external:
           routeConfiguration:
             virtualHosts:
diff --git a/config/local-setup/workloads/echoapi.yaml b/config/local-setup/workloads/echoapi.yaml
index b39f8616..aa22133c 100644
--- a/config/local-setup/workloads/echoapi.yaml
+++ b/config/local-setup/workloads/echoapi.yaml
@@ -1,3 +1,15 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: echoapi-cert
+spec:
+  dnsNames: ["REPLACE"]
+  issuerRef:
+    kind: ClusterIssuer
+    name: selfsigned-cluster-issuer
+  secretName: echoapi-cert
+
+---
 apiVersion: saas.3scale.net/v1alpha1
 kind: EchoAPI
 metadata:
@@ -33,6 +45,12 @@ spec:
           proxyProtocol: false
           port: 38080
           routeConfigName: echo_api_route
+      https:
+        listenerHttp:
+          proxyProtocol: false
+          certificateSecretName: echoapi-cert
+          port: 38443
+          routeConfigName: echo_api_route
     envoyImage: REPLACE
     nodeID: echo-api
     ports:
diff --git a/config/local-setup/workloads/replacements/domains.yaml b/config/local-setup/workloads/replacements/domains.yaml
index e6f2cad2..39616746 100644
--- a/config/local-setup/workloads/replacements/domains.yaml
+++ b/config/local-setup/workloads/replacements/domains.yaml
@@ -15,6 +15,14 @@
         kind: System
       fieldPaths:
         - spec.config.apicast.stagingDomain
+    - select:
+        kind: Certificate
+        name: apicast-staging-wildcard-cert
+      fieldPaths:
+        - spec.dnsNames.0
+      options:
+        delimiter: "."
+        index: 1
 - source:
     kind: ConfigMap
     name: config
@@ -31,6 +39,14 @@
         kind: System
       fieldPaths:
         - spec.config.apicast.productionDomain
+    - select:
+        kind: Certificate
+        name: apicast-production-wildcard-cert
+      fieldPaths:
+        - spec.dnsNames.0
+      options:
+        delimiter: "."
+        index: 1
 
 # CONFIGURE AUTOSSL ENDPOINT
 - source:
@@ -66,6 +82,11 @@
         kind: EchoAPI
       fieldPaths:
         - spec.endpoint.dns.0
+    - select:
+        kind: Certificate
+        name: echoapi-cert
+      fieldPaths:
+        - spec.dnsNames.0
 
 # CONFIGURE BACKEND ENDPOINT
 - source:
@@ -84,6 +105,11 @@
       options:
         delimiter: "/"
         index: 2
+    - select:
+        kind: Certificate
+        name: backend-cert
+      fieldPaths:
+        - spec.dnsNames.0
 
 # CONFIGURE SYSTEM ENDPOINT
 - source: