diff --git a/charts/countly-web-ui-canary/templates/certificate.yaml b/charts/countly-web-ui-canary/templates/certificate.yaml
new file mode 100644
index 0000000..b9c0ad8
--- /dev/null
+++ b/charts/countly-web-ui-canary/templates/certificate.yaml
@@ -0,0 +1,37 @@
+{{/*
+Explicit Certificate resource (rather than relying on cert-manager's ingress-shim
+auto-creation from the Ingress's cert-manager.io/cluster-issuer annotation).
+
+We need the cert-manager.io/issue-temporary-certificate annotation on the
+Certificate so cert-manager pre-populates the TLS Secret with a self-signed
+cert immediately. Without it, F5 NIC's `ssl_reject_handshake on` for hosts
+without a cert kills cert-manager's HTTP-01 self-check (it follows the
+hardcoded HTTP→HTTPS redirect and the TLS handshake fails with
+`tls: unrecognized name`).
+
+ingress-shim in cert-manager v1.17 doesn't propagate the
+issue-temporary-certificate annotation from Ingress to Certificate, so the
+chart owns the Certificate directly.
+*/}}
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ include "canary.fullname" . }}-tls
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "canary.labels" . | nindent 4 }}
+  annotations:
+    cert-manager.io/issue-temporary-certificate: "true"
+spec:
+  secretName: {{ include "canary.fullname" . }}-tls
+  duration: 2160h        # 90d
+  renewBefore: 720h      # 30d (renew when 1/3 lifetime remaining)
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+    rotationPolicy: Always
+  dnsNames:
+    - {{ include "canary.hostname" . | quote }}
+  issuerRef:
+    name: {{ required "ingress.tls.clusterIssuer is required" .Values.ingress.tls.clusterIssuer | quote }}
+    kind: ClusterIssuer
diff --git a/charts/countly-web-ui-canary/templates/ingress.yaml b/charts/countly-web-ui-canary/templates/ingress.yaml
index ebb25f1..0b09d0e 100644
--- a/charts/countly-web-ui-canary/templates/ingress.yaml
+++ b/charts/countly-web-ui-canary/templates/ingress.yaml
@@ -12,15 +12,10 @@ metadata:
   labels:
     {{- include "canary.labels" . | nindent 4 }}
   annotations:
-    cert-manager.io/cluster-issuer: {{ required "ingress.tls.clusterIssuer is required" .Values.ingress.tls.clusterIssuer | quote }}
-    # Issue a self-signed temporary cert immediately so the TLS handshake works
-    # while the real Let's Encrypt cert is being issued. Without this, F5 NIC
-    # has `ssl_reject_handshake on` for hosts without a cert, which makes
-    # cert-manager's HTTP-01 self-check fail with `tls: unrecognized name` after
-    # F5 NIC's hardcoded HTTP→HTTPS redirect (the `nginx.org/redirect-to-https`
-    # annotation only controls a different XFP-based redirect, not this in-scheme one).
-    # cert-manager swaps the temp cert for the real one once ACME completes.
-    cert-manager.io/issue-temporary-certificate: "true"
+    # No cert-manager annotations here — the Certificate is managed explicitly
+    # by templates/certificate.yaml so we can set issue-temporary-certificate.
+    # ingress-shim in cert-manager v1.17 doesn't propagate that annotation from
+    # Ingress to Certificate, so chart owns the Certificate directly.
     {{- include "canary.ingressAnnotations" . | nindent 4 }}
 spec:
   ingressClassName: {{ .Values.ingress.className }}