diff --git a/install/installer/pkg/components/server/authpki.go b/install/installer/pkg/components/server/authpki.go
new file mode 100644
index 00000000000000..00258f7cea9aab
--- /dev/null
+++ b/install/installer/pkg/components/server/authpki.go
@@ -0,0 +1,58 @@
+// Copyright (c) 2021 Gitpod GmbH. All rights reserved.
+// Licensed under the GNU Affero General Public License (AGPL).
+// See License.AGPL.txt in the project root for license information.
+
+package server
+
+import (
+	"fmt"
+	"math"
+	"time"
+
+	"github.com/gitpod-io/gitpod/installer/pkg/common"
+
+	certmanagerv1 "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1"
+	cmmeta "github.com/jetstack/cert-manager/pkg/apis/meta/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+func authPKI(ctx *common.RenderContext) ([]runtime.Object, error) {
+	serverAltNames := []string{
+		fmt.Sprintf("gitpod.%s", ctx.Namespace),
+		fmt.Sprintf("%s.%s.svc", Component, ctx.Namespace),
+		Component,
+		fmt.Sprintf("%s-dev", Component),
+	}
+
+	return []runtime.Object{
+		&certmanagerv1.Certificate{
+			TypeMeta: common.TypeMetaCertificate,
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      AuthPKISecretName,
+				Namespace: ctx.Namespace,
+				Labels:    common.DefaultLabels(Component),
+			},
+			Spec: certmanagerv1.CertificateSpec{
+				Duration: &metav1.Duration{
+					Duration: time.Duration(math.MaxInt64), // never expire automatically
+				},
+				SecretName: AuthPKISecretName,
+				DNSNames:   serverAltNames,
+				IssuerRef: cmmeta.ObjectReference{
+					Name:  common.CertManagerCAIssuer,
+					Kind:  certmanagerv1.ClusterIssuerKind,
+					Group: "cert-manager.io",
+				},
+				PrivateKey: &certmanagerv1.CertificatePrivateKey{
+					Encoding:  certmanagerv1.PKCS8,
+					Size:      4096,
+					Algorithm: certmanagerv1.RSAKeyAlgorithm,
+				},
+				SecretTemplate: &certmanagerv1.CertificateSecretTemplate{
+					Labels: common.DefaultLabels(Component),
+				},
+			},
+		},
+	}, nil
+}
diff --git a/install/installer/pkg/components/server/constants.go b/install/installer/pkg/components/server/constants.go
index a60b3e8a8e8bf8..232c231a100e66 100644
--- a/install/installer/pkg/components/server/constants.go
+++ b/install/installer/pkg/components/server/constants.go
@@ -31,6 +31,8 @@ const (
 	AdminCredentialsSecretMountPath = "/credentials/admin"
 	AdminCredentialsSecretKey       = "admin.json"
 
+	AuthPKISecretName = "auth-pki"
+
 	GRPCAPIName = "grpc"
 	GRPCAPIPort = common.ServerGRPCAPIPort
 )
diff --git a/install/installer/pkg/components/server/objects.go b/install/installer/pkg/components/server/objects.go
index d5568035e06470..aa0aa43483f647 100644
--- a/install/installer/pkg/components/server/objects.go
+++ b/install/installer/pkg/components/server/objects.go
@@ -60,4 +60,5 @@ var Objects = common.CompositeRenderFunc(
 		},
 	}),
 	common.DefaultServiceAccount(Component),
+	authPKI,
 )