diff --git a/certbot/0.grapheneos.network b/certbot/0.grapheneos.network
new file mode 100644
index 0000000..664c1f4
--- /dev/null
+++ b/certbot/0.grapheneos.network
@@ -0,0 +1,27 @@
+certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
+    --key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
+    --deploy-hook "/usr/local/bin/certbot-ocsp-fetcher -o /etc/nginx/ocsp-cache" \
+    --cert-name grapheneos.network \
+    -d grapheneos.network \
+    -d grapheneos.network \
+    -d www.grapheneos.network \
+    -d connectivitycheck.grapheneos.network \
+    -d mta-sts.grapheneos.network \
+    -d grapheneos.online \
+    -d www.grapheneos.online \
+    -d connectivitycheck.grapheneos.online \
+    -d mta-sts.grapheneos.online \
+    -d connectivitycheck.grapheneos.org \
+    -d time.grapheneos.org \
+    -d remoteprovisioning.grapheneos.org \
+    -d broadcom.psds.grapheneos.org \
+    -d qualcomm.psds.grapheneos.org \
+    -d supl.grapheneos.org \
+    -d update.vanadium.app \
+    -d dl.vanadium.app
+
+certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
+    --key-type rsa --rsa-key-size 3072 --reuse-key --preferred-chain "ISRG Root X1" \
+    --deploy-hook "/usr/local/bin/certbot-ocsp-fetcher -o /etc/nginx/ocsp-cache" \
+    --cert-name supl.grapheneos.org \
+    -d supl.grapheneos.org
diff --git a/certbot/0.grapheneos.org b/certbot/0.grapheneos.org
new file mode 100644
index 0000000..c1fb378
--- /dev/null
+++ b/certbot/0.grapheneos.org
@@ -0,0 +1,35 @@
+certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
+    --key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
+    --deploy-hook "/usr/local/bin/certbot-ocsp-fetcher -o /etc/nginx/ocsp-cache" \
+    --cert-name grapheneos.org \
+    -d grapheneos.org \
+    -d www.grapheneos.org \
+    -d mta-sts.grapheneos.org \
+    -d mta-sts.mail.grapheneos.org \
+    -d grapheneos.app \
+    -d mta-sts.grapheneos.app \
+    -d www.grapheneos.app \
+    -d grapheneos.ca \
+    -d mta-sts.grapheneos.ca \
+    -d www.grapheneos.ca \
+    -d grapheneos.com \
+    -d mta-sts.grapheneos.com \
+    -d www.grapheneos.com \
+    -d grapheneos.dev \
+    -d mta-sts.grapheneos.dev \
+    -d www.grapheneos.dev \
+    -d grapheneos.info \
+    -d mta-sts.grapheneos.info \
+    -d www.grapheneos.info \
+    -d grapheneos.net \
+    -d mta-sts.grapheneos.net \
+    -d www.grapheneos.net \
+    -d grapheneos.ovh \
+    -d mta-sts.grapheneos.ovh \
+    -d www.grapheneos.ovh \
+    -d grapheneos.page \
+    -d mta-sts.grapheneos.page \
+    -d www.grapheneos.page \
+    -d vanadium.app \
+    -d mta-sts.vanadium.app \
+    -d www.vanadium.app
diff --git a/certbot/0.releases.grapheneos.org b/certbot/0.releases.grapheneos.org
new file mode 100644
index 0000000..639cc2f
--- /dev/null
+++ b/certbot/0.releases.grapheneos.org
@@ -0,0 +1,9 @@
+certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
+    --key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
+    --deploy-hook "/usr/local/bin/certbot-ocsp-fetcher -o /etc/nginx/ocsp-cache" \
+    --cert-name releases.grapheneos.org \
+    -d releases.grapheneos.org \
+    -d apps.grapheneos.org \
+    -d seamlessupdate.app \
+    -d mta-sts.seamlessupdate.app \
+    -d www.seamlessupdate.app
diff --git a/certbot/attestation.app b/certbot/attestation.app
new file mode 100644
index 0000000..4195b8f
--- /dev/null
+++ b/certbot/attestation.app
@@ -0,0 +1,7 @@
+certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
+    --key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
+    --deploy-hook "/usr/local/bin/certbot-ocsp-fetcher -o /etc/nginx/ocsp-cache" \
+    --cert-name attestation.app \
+    -d attestation.app \
+    -d mta-sts.attestation.app \
+    -d www.attestation.app
diff --git a/certbot/discuss.grapheneos.org b/certbot/discuss.grapheneos.org
new file mode 100644
index 0000000..1269c5e
--- /dev/null
+++ b/certbot/discuss.grapheneos.org
@@ -0,0 +1,6 @@
+certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
+    --key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
+    --deploy-hook "/usr/local/bin/certbot-ocsp-fetcher -o /etc/nginx/ocsp-cache" \
+    --cert-name discuss.grapheneos.org \
+    -d discuss.grapheneos.org \
+    -d mta-sts.discuss.grapheneos.org
diff --git a/certbot/grapheneos.social b/certbot/grapheneos.social
new file mode 100644
index 0000000..d7f3132
--- /dev/null
+++ b/certbot/grapheneos.social
@@ -0,0 +1,7 @@
+certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
+    --key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
+    --deploy-hook "/usr/local/bin/certbot-ocsp-fetcher -o /etc/nginx/ocsp-cache" \
+    --cert-name grapheneos.social \
+    -d grapheneos.social \
+    -d mta-sts.grapheneos.social \
+    -d www.grapheneos.social
diff --git a/certbot/mail.grapheneos.org b/certbot/mail.grapheneos.org
new file mode 100644
index 0000000..eb58985
--- /dev/null
+++ b/certbot/mail.grapheneos.org
@@ -0,0 +1,5 @@
+certbot certonly --standalone --no-eff-email \
+    --key-type rsa --rsa-key-size 3072 --reuse-key --preferred-chain "ISRG Root X1" \
+    --deploy-hook "/usr/local/bin/certbot-ocsp-fetcher -o /etc/nginx/ocsp-cache" \
+    --cert-name staging.grapheneos.org \
+    -d staging.grapheneos.org
diff --git a/certbot/matrix.grapheneos.org b/certbot/matrix.grapheneos.org
new file mode 100644
index 0000000..fd451b4
--- /dev/null
+++ b/certbot/matrix.grapheneos.org
@@ -0,0 +1,7 @@
+certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
+    --key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
+    --deploy-hook "/usr/local/bin/certbot-ocsp-fetcher -o /etc/nginx/ocsp-cache" \
+    --cert-name matrix.grapheneos.org \
+    -d matrix.grapheneos.org \
+    -d mta-sts.matrix.grapheneos.org \
+    -d element.grapheneos.org
diff --git a/certbot/staging.attestation.app b/certbot/staging.attestation.app
new file mode 100644
index 0000000..5d49bb7
--- /dev/null
+++ b/certbot/staging.attestation.app
@@ -0,0 +1,5 @@
+certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
+    --key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
+    --deploy-hook "/usr/local/bin/certbot-ocsp-fetcher -o /etc/nginx/ocsp-cache" \
+    --cert-name staging.attestation.org \
+    -d staging.attestation.org
diff --git a/certbot/staging.grapheneos.org b/certbot/staging.grapheneos.org
new file mode 100644
index 0000000..8b5d532
--- /dev/null
+++ b/certbot/staging.grapheneos.org
@@ -0,0 +1,5 @@
+certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
+    --key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
+    --deploy-hook "/usr/local/bin/certbot-ocsp-fetcher -o /etc/nginx/ocsp-cache" \
+    --cert-name staging.grapheneos.org \
+    -d staging.grapheneos.org