diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml
index b4039cd..655e435 100644
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -425,6 +425,11 @@ jobs:
             ghcr.io/tailscale/k8s-operator:v1.96.5 \
             ghcr.io/tailscale/tailscale:v1.96.5 \
             registry.k8s.io/sig-storage/nfs-subdir-external-provisioner:v4.0.2 \
+            docker.io/rancher/mirrored-pause:3.6 \
+            quay.io/jetstack/cert-manager-controller:v1.17.2 \
+            quay.io/jetstack/cert-manager-cainjector:v1.17.2 \
+            quay.io/jetstack/cert-manager-webhook:v1.17.2 \
+            quay.io/jetstack/cert-manager-startupapicheck:v1.17.2 \
             docker.io/grafana/loki:3.5.7 \
             docker.io/kiwigrid/k8s-sidecar:1.30.10 \
             docker.io/grafana/promtail:3.0.0 \
@@ -712,6 +717,14 @@ jobs:
             ghcr.io/fluxcd/notification-controller:v1.8.1; do
             import_required_image "${image}" "${PRIMARY_CP_IP}"
           done
+          for image in \
+            docker.io/rancher/mirrored-pause:3.6 \
+            quay.io/jetstack/cert-manager-controller:v1.17.2 \
+            quay.io/jetstack/cert-manager-cainjector:v1.17.2 \
+            quay.io/jetstack/cert-manager-webhook:v1.17.2 \
+            quay.io/jetstack/cert-manager-startupapicheck:v1.17.2; do
+            import_required_image_on_all_nodes "${image}"
+          done
           # Apply CRDs and controllers first
           kubectl apply -f clusters/prod/flux-system/gotk-components.yaml
           # Wait for CRDs to be established
@@ -732,6 +745,9 @@ jobs:
           flux_rollout_status helm-controller
           kubectl -n flux-system wait --for=condition=Ready gitrepository/platform --timeout=300s
           kubectl -n flux-system wait --for=condition=Ready kustomization/infrastructure --timeout=600s
+          kubectl -n flux-system annotate kustomization/addon-cert-manager reconcile.fluxcd.io/requestedAt="$(date +%s)" --overwrite
+          kubectl -n flux-system wait --for=condition=Ready kustomization/addon-cert-manager --timeout=1200s
+          kubectl -n flux-system wait --for=condition=Ready helmrelease/cert-manager --timeout=1200s
           # Wait directly on the ESO Helm objects; Kustomization readiness hides useful failure details.
           wait_for_resource flux-system kustomization.kustomize.toolkit.fluxcd.io/addon-external-secrets 600
           kubectl -n flux-system annotate kustomization/addon-external-secrets reconcile.fluxcd.io/requestedAt="$(date +%s)" --overwrite
@@ -776,7 +792,7 @@ jobs:
           kubectl annotate storageclass flash-nfs storageclass.kubernetes.io/is-default-class=true --overwrite
           kubectl get storageclass flash-nfs
 
-      - name: Wait for Rancher and backup operator
+      - name: Wait for Rancher
         env:
           KUBECONFIG: outputs/kubeconfig
         run: |
diff --git a/infrastructure/addons/cert-manager/helmrelease-cert-manager.yaml b/infrastructure/addons/cert-manager/helmrelease-cert-manager.yaml
index bf2c747..de1dd2b 100644
--- a/infrastructure/addons/cert-manager/helmrelease-cert-manager.yaml
+++ b/infrastructure/addons/cert-manager/helmrelease-cert-manager.yaml
@@ -5,6 +5,7 @@ metadata:
   namespace: flux-system
 spec:
   interval: 10m
+  timeout: 15m
   targetNamespace: cert-manager
   chart:
     spec:
diff --git a/infrastructure/addons/kustomization-cert-manager.yaml b/infrastructure/addons/kustomization-cert-manager.yaml
index 26784ee..2c550b4 100644
--- a/infrastructure/addons/kustomization-cert-manager.yaml
+++ b/infrastructure/addons/kustomization-cert-manager.yaml
@@ -11,5 +11,5 @@ spec:
     name: platform
   path: ./infrastructure/addons/cert-manager
   wait: true
-  timeout: 10m
+  timeout: 20m
   suspend: false