diff --git a/media-services/index.ts b/media-services/index.ts
index 43451c9..c3134e3 100644
--- a/media-services/index.ts
+++ b/media-services/index.ts
@@ -3,7 +3,7 @@ import { TerraformStack } from "cdktf";
 import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
 import { NamespaceV1 } from "@cdktf/provider-kubernetes/lib/namespace-v1";
 
-import { LonghornPvc } from "../utils";
+import { CloudflareCertificate, LonghornPvc } from "../utils";
 import { JellyfinServer } from "./jellyfin";
 import { SonarrServer } from "./sonarr";
 import { RadarrServer } from "./radarr";
@@ -42,10 +42,28 @@ export class MediaServices extends TerraformStack {
       size: "450Gi",
     });
 
+    const certificateSecretName = "media-services-tls";
+
+    new CloudflareCertificate(this, "cloudflare-certificate", {
+      provider,
+      namespace,
+      name: "media-services",
+      dnsNames: [
+        "media.dogar.dev",
+        "sonarr.dogar.dev",
+        "radarr.dogar.dev",
+        "torrent.dogar.dev",
+        "prowlarr.dogar.dev",
+      ],
+      secretName: certificateSecretName,
+      commonName: "media.dogar.dev",
+    });
+
     // Deploy media services
     new JellyfinServer(this, "jellyfin", {
       provider,
       namespace,
+      certificateSecretName,
       mediaPvcName: mediaPvc.name,
       host: "media.dogar.dev",
     });
@@ -53,6 +71,7 @@ export class MediaServices extends TerraformStack {
     new SonarrServer(this, "sonarr", {
       provider,
       namespace,
+      certificateSecretName,
       mediaPvcName: mediaPvc.name,
       downloadsPvcName: downloadsPvc.name,
       host: "sonarr.dogar.dev",
@@ -61,6 +80,7 @@ export class MediaServices extends TerraformStack {
     new RadarrServer(this, "radarr", {
       provider,
       namespace,
+      certificateSecretName,
       mediaPvcName: mediaPvc.name,
       downloadsPvcName: downloadsPvc.name,
       host: "radarr.dogar.dev",
@@ -69,6 +89,7 @@ export class MediaServices extends TerraformStack {
     new QBittorrentServer(this, "qbittorrent", {
       provider,
       namespace,
+      certificateSecretName,
       downloadsPvcName: downloadsPvc.name,
       host: "torrent.dogar.dev",
     });
@@ -76,6 +97,7 @@ export class MediaServices extends TerraformStack {
     new ProwlarrServer(this, "prowlarr", {
       provider,
       namespace,
+      certificateSecretName,
       host: "prowlarr.dogar.dev",
     });
   }
diff --git a/media-services/jellyfin/index.ts b/media-services/jellyfin/index.ts
index c2c448a..90512e2 100644
--- a/media-services/jellyfin/index.ts
+++ b/media-services/jellyfin/index.ts
@@ -2,11 +2,7 @@ import { Construct } from "constructs";
 import { DeploymentV1 } from "@cdktf/provider-kubernetes/lib/deployment-v1";
 import { ServiceV1 } from "@cdktf/provider-kubernetes/lib/service-v1";
 
-import {
-  CloudflareCertificate,
-  InternalIngressRoute,
-  LonghornPvc,
-} from "../../utils";
+import { InternalIngressRoute, LonghornPvc } from "../../utils";
 import { BaseMediaServiceOptions, getAamil3NodeSelector } from "../types";
 
 type JellyfinServerOptions = BaseMediaServiceOptions & {
@@ -14,6 +10,8 @@ type JellyfinServerOptions = BaseMediaServiceOptions & {
   mediaPvcName: string;
   /** Hostname for the ingress */
   host: string;
+  /** Secret name for the TLS certificate */
+  certificateSecretName: string;
 };
 
 export class JellyfinServer extends Construct {
@@ -140,14 +138,6 @@ export class JellyfinServer extends Construct {
       },
     });
 
-    new CloudflareCertificate(this, "certificate", {
-      provider,
-      namespace,
-      name,
-      secretName: "jellyfin-tls",
-      dnsNames: [host],
-    });
-
     // Ingress - using internal ingress for secure access
     new InternalIngressRoute(this, "ingress", {
       provider,
@@ -156,7 +146,7 @@ export class JellyfinServer extends Construct {
       host,
       serviceName: name,
       servicePort: 80,
-      tlsSecretName: "jellyfin-tls",
+      tlsSecretName: options.certificateSecretName,
     });
   }
 }
diff --git a/media-services/prowlarr/index.ts b/media-services/prowlarr/index.ts
index 73ff85b..327716a 100644
--- a/media-services/prowlarr/index.ts
+++ b/media-services/prowlarr/index.ts
@@ -2,11 +2,7 @@ import { Construct } from "constructs";
 import { DeploymentV1 } from "@cdktf/provider-kubernetes/lib/deployment-v1";
 import { ServiceV1 } from "@cdktf/provider-kubernetes/lib/service-v1";
 
-import {
-  InternalIngressRoute,
-  LonghornPvc,
-  PrivateCertificate,
-} from "../../utils";
+import { InternalIngressRoute, LonghornPvc } from "../../utils";
 import {
   BaseMediaServiceOptions,
   getWorkerNodeSelector,
@@ -16,6 +12,8 @@ import {
 type ProwlarrOptions = BaseMediaServiceOptions & {
   /** Hostname for the ingress */
   host: string;
+  /** Secret name for the TLS certificate */
+  certificateSecretName: string;
 };
 
 export class ProwlarrServer extends Construct {
@@ -111,15 +109,6 @@ export class ProwlarrServer extends Construct {
       },
     });
 
-    new PrivateCertificate(this, "certificate", {
-      provider,
-      namespace,
-      name,
-      commonName: host,
-      dnsNames: [host],
-      secretName: `${name}-tls`,
-    });
-
     // Ingress
     new InternalIngressRoute(this, "ingress", {
       provider,
@@ -128,7 +117,7 @@ export class ProwlarrServer extends Construct {
       host,
       serviceName: name,
       servicePort: 80,
-      tlsSecretName: `${name}-tls`,
+      tlsSecretName: options.certificateSecretName,
     });
   }
 }
diff --git a/media-services/qbittorrent/index.ts b/media-services/qbittorrent/index.ts
index d119449..5979d14 100644
--- a/media-services/qbittorrent/index.ts
+++ b/media-services/qbittorrent/index.ts
@@ -2,11 +2,7 @@ import { Construct } from "constructs";
 import { DeploymentV1 } from "@cdktf/provider-kubernetes/lib/deployment-v1";
 import { ServiceV1 } from "@cdktf/provider-kubernetes/lib/service-v1";
 
-import {
-  InternalIngressRoute,
-  LonghornPvc,
-  PrivateCertificate,
-} from "../../utils";
+import { InternalIngressRoute, LonghornPvc } from "../../utils";
 import {
   BaseMediaServiceOptions,
   getAamil3NodeSelector,
@@ -18,6 +14,8 @@ type QBittorrentServerOptions = BaseMediaServiceOptions & {
   downloadsPvcName: string;
   /** Hostname for the ingress */
   host: string;
+  /** Secret name for the TLS certificate */
+  certificateSecretName: string;
 };
 
 export class QBittorrentServer extends Construct {
@@ -137,15 +135,6 @@ export class QBittorrentServer extends Construct {
       },
     });
 
-    new PrivateCertificate(this, "certificate", {
-      provider,
-      namespace,
-      name,
-      commonName: host,
-      dnsNames: [host],
-      secretName: `${name}-tls`,
-    });
-
     // Ingress
     new InternalIngressRoute(this, "ingress", {
       provider,
@@ -154,7 +143,7 @@ export class QBittorrentServer extends Construct {
       host,
       serviceName: name,
       servicePort: 80,
-      tlsSecretName: `${name}-tls`,
+      tlsSecretName: options.certificateSecretName,
     });
   }
 }
diff --git a/media-services/radarr/index.ts b/media-services/radarr/index.ts
index 1af60c4..9b1cb2a 100644
--- a/media-services/radarr/index.ts
+++ b/media-services/radarr/index.ts
@@ -2,11 +2,7 @@ import { Construct } from "constructs";
 import { DeploymentV1 } from "@cdktf/provider-kubernetes/lib/deployment-v1";
 import { ServiceV1 } from "@cdktf/provider-kubernetes/lib/service-v1";
 
-import {
-  InternalIngressRoute,
-  LonghornPvc,
-  PrivateCertificate,
-} from "../../utils";
+import { InternalIngressRoute, LonghornPvc } from "../../utils";
 import {
   BaseMediaServiceOptions,
   getAamil3NodeSelector,
@@ -20,6 +16,8 @@ type RadarrServerOptions = BaseMediaServiceOptions & {
   downloadsPvcName: string;
   /** Hostname for the ingress */
   host: string;
+  /** Secret name for the TLS certificate */
+  certificateSecretName: string;
 };
 
 export class RadarrServer extends Construct {
@@ -136,15 +134,6 @@ export class RadarrServer extends Construct {
       },
     });
 
-    new PrivateCertificate(this, "certificate", {
-      provider,
-      namespace,
-      name,
-      commonName: host,
-      dnsNames: [host],
-      secretName: `${name}-tls`,
-    });
-
     // Ingress
     new InternalIngressRoute(this, "ingress", {
       provider,
@@ -153,7 +142,7 @@ export class RadarrServer extends Construct {
       host,
       serviceName: name,
       servicePort: 80,
-      tlsSecretName: `${name}-tls`,
+      tlsSecretName: options.certificateSecretName,
     });
   }
 }
diff --git a/media-services/sonarr/index.ts b/media-services/sonarr/index.ts
index 49fc23c..c48f8af 100644
--- a/media-services/sonarr/index.ts
+++ b/media-services/sonarr/index.ts
@@ -2,11 +2,7 @@ import { Construct } from "constructs";
 import { DeploymentV1 } from "@cdktf/provider-kubernetes/lib/deployment-v1";
 import { ServiceV1 } from "@cdktf/provider-kubernetes/lib/service-v1";
 
-import {
-  InternalIngressRoute,
-  LonghornPvc,
-  PrivateCertificate,
-} from "../../utils";
+import { InternalIngressRoute, LonghornPvc } from "../../utils";
 import {
   BaseMediaServiceOptions,
   getAamil3NodeSelector,
@@ -20,6 +16,8 @@ type SonarrServerOptions = BaseMediaServiceOptions & {
   downloadsPvcName: string;
   /** Hostname for the ingress */
   host: string;
+  /** Secret name for the TLS certificate */
+  certificateSecretName: string;
 };
 
 export class SonarrServer extends Construct {
@@ -136,15 +134,6 @@ export class SonarrServer extends Construct {
       },
     });
 
-    new PrivateCertificate(this, "certificate", {
-      provider,
-      namespace,
-      name,
-      commonName: host,
-      dnsNames: [host],
-      secretName: `${name}-tls`,
-    });
-
     // Ingress
     new InternalIngressRoute(this, "ingress", {
       provider,
@@ -153,7 +142,7 @@ export class SonarrServer extends Construct {
       host,
       serviceName: name,
       servicePort: 80,
-      tlsSecretName: `${name}-tls`,
+      tlsSecretName: options.certificateSecretName,
     });
   }
 }