diff --git a/manifests/function/cabpk/v0.3.3/certmanager/certificate.yaml b/manifests/function/cabpk/v0.3.3/certmanager/certificate.yaml
new file mode 100644
index 000000000..7decb1a4b
--- /dev/null
+++ b/manifests/function/cabpk/v0.3.3/certmanager/certificate.yaml
@@ -0,0 +1,25 @@
+# The following manifests contain a self-signed issuer CR and a certificate CR.
+# More document can be found at https://docs.cert-manager.io
+# WARNING: Targets CertManager 0.11 check https://docs.cert-manager.io/en/latest/tasks/upgrading/index.html for breaking changes
+apiVersion: cert-manager.io/v1alpha2
+kind: Issuer
+metadata:
+  name: selfsigned-issuer
+  namespace: system
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1alpha2
+kind: Certificate
+metadata:
+  name: serving-cert  # this name should match the one appeared in kustomizeconfig.yaml
+  namespace: system
+spec:
+  # $(SERVICE_NAME) and $(SERVICE_NAMESPACE) will be substituted by kustomize
+  dnsNames:
+  - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc
+  - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc.cluster.local
+  issuerRef:
+    kind: Issuer
+    name: selfsigned-issuer
+  secretName: $(SERVICE_NAME)-cert # this secret will not be prefixed, since it's not managed by kustomize
diff --git a/manifests/function/cabpk/v0.3.3/certmanager/kustomization.yaml b/manifests/function/cabpk/v0.3.3/certmanager/kustomization.yaml
new file mode 100644
index 000000000..bebea5a59
--- /dev/null
+++ b/manifests/function/cabpk/v0.3.3/certmanager/kustomization.yaml
@@ -0,0 +1,5 @@
+resources:
+- certificate.yaml
+
+configurations:
+- kustomizeconfig.yaml
diff --git a/manifests/function/certmanager/kustomizeconfig.yaml b/manifests/function/cabpk/v0.3.3/certmanager/kustomizeconfig.yaml
similarity index 100%
rename from manifests/function/certmanager/kustomizeconfig.yaml
rename to manifests/function/cabpk/v0.3.3/certmanager/kustomizeconfig.yaml
diff --git a/manifests/function/cabpk/v0.3.3/webhook/kustomization.yaml b/manifests/function/cabpk/v0.3.3/webhook/kustomization.yaml
index bef9dfd88..cf9bcbdd1 100644
--- a/manifests/function/cabpk/v0.3.3/webhook/kustomization.yaml
+++ b/manifests/function/cabpk/v0.3.3/webhook/kustomization.yaml
@@ -3,7 +3,7 @@ namespace: capi-webhook-system
 resources:
 - manifests.yaml
 - service.yaml
-- ../../../certmanager
+- ../certmanager
 - ../manager
 
 configurations:
diff --git a/manifests/function/cabpk/v0.3.7/certmanager/certificate.yaml b/manifests/function/cabpk/v0.3.7/certmanager/certificate.yaml
new file mode 100644
index 000000000..7decb1a4b
--- /dev/null
+++ b/manifests/function/cabpk/v0.3.7/certmanager/certificate.yaml
@@ -0,0 +1,25 @@
+# The following manifests contain a self-signed issuer CR and a certificate CR.
+# More document can be found at https://docs.cert-manager.io
+# WARNING: Targets CertManager 0.11 check https://docs.cert-manager.io/en/latest/tasks/upgrading/index.html for breaking changes
+apiVersion: cert-manager.io/v1alpha2
+kind: Issuer
+metadata:
+  name: selfsigned-issuer
+  namespace: system
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1alpha2
+kind: Certificate
+metadata:
+  name: serving-cert  # this name should match the one appeared in kustomizeconfig.yaml
+  namespace: system
+spec:
+  # $(SERVICE_NAME) and $(SERVICE_NAMESPACE) will be substituted by kustomize
+  dnsNames:
+  - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc
+  - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc.cluster.local
+  issuerRef:
+    kind: Issuer
+    name: selfsigned-issuer
+  secretName: $(SERVICE_NAME)-cert # this secret will not be prefixed, since it's not managed by kustomize
diff --git a/manifests/function/cabpk/v0.3.7/certmanager/kustomization.yaml b/manifests/function/cabpk/v0.3.7/certmanager/kustomization.yaml
new file mode 100644
index 000000000..bebea5a59
--- /dev/null
+++ b/manifests/function/cabpk/v0.3.7/certmanager/kustomization.yaml
@@ -0,0 +1,5 @@
+resources:
+- certificate.yaml
+
+configurations:
+- kustomizeconfig.yaml
diff --git a/manifests/function/cabpk/v0.3.7/certmanager/kustomizeconfig.yaml b/manifests/function/cabpk/v0.3.7/certmanager/kustomizeconfig.yaml
new file mode 100644
index 000000000..28a895a40
--- /dev/null
+++ b/manifests/function/cabpk/v0.3.7/certmanager/kustomizeconfig.yaml
@@ -0,0 +1,19 @@
+# This configuration is for teaching kustomize how to update name ref and var substitution
+nameReference:
+- kind: Issuer
+  group: cert-manager.io
+  fieldSpecs:
+  - kind: Certificate
+    group: cert-manager.io
+    path: spec/issuerRef/name
+
+varReference:
+- kind: Certificate
+  group: cert-manager.io
+  path: spec/commonName
+- kind: Certificate
+  group: cert-manager.io
+  path: spec/dnsNames
+- kind: Certificate
+  group: cert-manager.io
+  path: spec/secretName
diff --git a/manifests/function/cabpk/v0.3.7/webhook/kustomization.yaml b/manifests/function/cabpk/v0.3.7/webhook/kustomization.yaml
index 8119e340a..23314b771 100644
--- a/manifests/function/cabpk/v0.3.7/webhook/kustomization.yaml
+++ b/manifests/function/cabpk/v0.3.7/webhook/kustomization.yaml
@@ -3,7 +3,7 @@ namespace: capi-webhook-system
 resources:
 - manifests.yaml
 - service.yaml
-- ../../../certmanager
+- ../certmanager
 - ../manager
 
 configurations:
diff --git a/manifests/function/cacpk/v0.3.3/certmanager/certificate.yaml b/manifests/function/cacpk/v0.3.3/certmanager/certificate.yaml
new file mode 100644
index 000000000..7decb1a4b
--- /dev/null
+++ b/manifests/function/cacpk/v0.3.3/certmanager/certificate.yaml
@@ -0,0 +1,25 @@
+# The following manifests contain a self-signed issuer CR and a certificate CR.
+# More document can be found at https://docs.cert-manager.io
+# WARNING: Targets CertManager 0.11 check https://docs.cert-manager.io/en/latest/tasks/upgrading/index.html for breaking changes
+apiVersion: cert-manager.io/v1alpha2
+kind: Issuer
+metadata:
+  name: selfsigned-issuer
+  namespace: system
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1alpha2
+kind: Certificate
+metadata:
+  name: serving-cert  # this name should match the one appeared in kustomizeconfig.yaml
+  namespace: system
+spec:
+  # $(SERVICE_NAME) and $(SERVICE_NAMESPACE) will be substituted by kustomize
+  dnsNames:
+  - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc
+  - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc.cluster.local
+  issuerRef:
+    kind: Issuer
+    name: selfsigned-issuer
+  secretName: $(SERVICE_NAME)-cert # this secret will not be prefixed, since it's not managed by kustomize
diff --git a/manifests/function/cacpk/v0.3.3/certmanager/kustomization.yaml b/manifests/function/cacpk/v0.3.3/certmanager/kustomization.yaml
new file mode 100644
index 000000000..bebea5a59
--- /dev/null
+++ b/manifests/function/cacpk/v0.3.3/certmanager/kustomization.yaml
@@ -0,0 +1,5 @@
+resources:
+- certificate.yaml
+
+configurations:
+- kustomizeconfig.yaml
diff --git a/manifests/function/cacpk/v0.3.3/certmanager/kustomizeconfig.yaml b/manifests/function/cacpk/v0.3.3/certmanager/kustomizeconfig.yaml
new file mode 100644
index 000000000..28a895a40
--- /dev/null
+++ b/manifests/function/cacpk/v0.3.3/certmanager/kustomizeconfig.yaml
@@ -0,0 +1,19 @@
+# This configuration is for teaching kustomize how to update name ref and var substitution
+nameReference:
+- kind: Issuer
+  group: cert-manager.io
+  fieldSpecs:
+  - kind: Certificate
+    group: cert-manager.io
+    path: spec/issuerRef/name
+
+varReference:
+- kind: Certificate
+  group: cert-manager.io
+  path: spec/commonName
+- kind: Certificate
+  group: cert-manager.io
+  path: spec/dnsNames
+- kind: Certificate
+  group: cert-manager.io
+  path: spec/secretName
diff --git a/manifests/function/cacpk/v0.3.3/webhook/kustomization.yaml b/manifests/function/cacpk/v0.3.3/webhook/kustomization.yaml
index 8119e340a..23314b771 100644
--- a/manifests/function/cacpk/v0.3.3/webhook/kustomization.yaml
+++ b/manifests/function/cacpk/v0.3.3/webhook/kustomization.yaml
@@ -3,7 +3,7 @@ namespace: capi-webhook-system
 resources:
 - manifests.yaml
 - service.yaml
-- ../../../certmanager
+- ../certmanager
 - ../manager
 
 configurations:
diff --git a/manifests/function/cacpk/v0.3.7/certmanager/certificate.yaml b/manifests/function/cacpk/v0.3.7/certmanager/certificate.yaml
new file mode 100644
index 000000000..7decb1a4b
--- /dev/null
+++ b/manifests/function/cacpk/v0.3.7/certmanager/certificate.yaml
@@ -0,0 +1,25 @@
+# The following manifests contain a self-signed issuer CR and a certificate CR.
+# More document can be found at https://docs.cert-manager.io
+# WARNING: Targets CertManager 0.11 check https://docs.cert-manager.io/en/latest/tasks/upgrading/index.html for breaking changes
+apiVersion: cert-manager.io/v1alpha2
+kind: Issuer
+metadata:
+  name: selfsigned-issuer
+  namespace: system
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1alpha2
+kind: Certificate
+metadata:
+  name: serving-cert  # this name should match the one appeared in kustomizeconfig.yaml
+  namespace: system
+spec:
+  # $(SERVICE_NAME) and $(SERVICE_NAMESPACE) will be substituted by kustomize
+  dnsNames:
+  - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc
+  - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc.cluster.local
+  issuerRef:
+    kind: Issuer
+    name: selfsigned-issuer
+  secretName: $(SERVICE_NAME)-cert # this secret will not be prefixed, since it's not managed by kustomize
diff --git a/manifests/function/cacpk/v0.3.7/certmanager/kustomization.yaml b/manifests/function/cacpk/v0.3.7/certmanager/kustomization.yaml
new file mode 100644
index 000000000..bebea5a59
--- /dev/null
+++ b/manifests/function/cacpk/v0.3.7/certmanager/kustomization.yaml
@@ -0,0 +1,5 @@
+resources:
+- certificate.yaml
+
+configurations:
+- kustomizeconfig.yaml
diff --git a/manifests/function/cacpk/v0.3.7/certmanager/kustomizeconfig.yaml b/manifests/function/cacpk/v0.3.7/certmanager/kustomizeconfig.yaml
new file mode 100644
index 000000000..28a895a40
--- /dev/null
+++ b/manifests/function/cacpk/v0.3.7/certmanager/kustomizeconfig.yaml
@@ -0,0 +1,19 @@
+# This configuration is for teaching kustomize how to update name ref and var substitution
+nameReference:
+- kind: Issuer
+  group: cert-manager.io
+  fieldSpecs:
+  - kind: Certificate
+    group: cert-manager.io
+    path: spec/issuerRef/name
+
+varReference:
+- kind: Certificate
+  group: cert-manager.io
+  path: spec/commonName
+- kind: Certificate
+  group: cert-manager.io
+  path: spec/dnsNames
+- kind: Certificate
+  group: cert-manager.io
+  path: spec/secretName
diff --git a/manifests/function/cacpk/v0.3.7/webhook/kustomization.yaml b/manifests/function/cacpk/v0.3.7/webhook/kustomization.yaml
index 8119e340a..23314b771 100644
--- a/manifests/function/cacpk/v0.3.7/webhook/kustomization.yaml
+++ b/manifests/function/cacpk/v0.3.7/webhook/kustomization.yaml
@@ -3,7 +3,7 @@ namespace: capi-webhook-system
 resources:
 - manifests.yaml
 - service.yaml
-- ../../../certmanager
+- ../certmanager
 - ../manager
 
 configurations:
diff --git a/manifests/function/capd/v0.3.7/certmanager/certificate.yaml b/manifests/function/capd/v0.3.7/certmanager/certificate.yaml
new file mode 100644
index 000000000..cc53cbd94
--- /dev/null
+++ b/manifests/function/capd/v0.3.7/certmanager/certificate.yaml
@@ -0,0 +1,24 @@
+# The following manifests contain a self-signed issuer CR and a certificate CR.
+# More document can be found at https://docs.cert-manager.io
+apiVersion: cert-manager.io/v1alpha2
+kind: Issuer
+metadata:
+  name: selfsigned-issuer
+  namespace: system
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1alpha2
+kind: Certificate
+metadata:
+  name: serving-cert  # this name should match the one appeared in kustomizeconfig.yaml
+  namespace: system
+spec:
+  # $(SERVICE_NAME) and $(SERVICE_NAMESPACE) will be substituted by kustomize
+  dnsNames:
+    - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc
+    - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc.cluster.local
+  issuerRef:
+    kind: Issuer
+    name: selfsigned-issuer
+  secretName: $(SERVICE_NAME)-cert # this secret will not be prefixed, since it's not managed by kustomize
diff --git a/manifests/function/capd/v0.3.7/certmanager/kustomization.yaml b/manifests/function/capd/v0.3.7/certmanager/kustomization.yaml
new file mode 100644
index 000000000..438e93c2c
--- /dev/null
+++ b/manifests/function/capd/v0.3.7/certmanager/kustomization.yaml
@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- certificate.yaml
+
+configurations:
+- kustomizeconfig.yaml
diff --git a/manifests/function/capd/v0.3.7/certmanager/kustomizeconfig.yaml b/manifests/function/capd/v0.3.7/certmanager/kustomizeconfig.yaml
new file mode 100644
index 000000000..28a895a40
--- /dev/null
+++ b/manifests/function/capd/v0.3.7/certmanager/kustomizeconfig.yaml
@@ -0,0 +1,19 @@
+# This configuration is for teaching kustomize how to update name ref and var substitution
+nameReference:
+- kind: Issuer
+  group: cert-manager.io
+  fieldSpecs:
+  - kind: Certificate
+    group: cert-manager.io
+    path: spec/issuerRef/name
+
+varReference:
+- kind: Certificate
+  group: cert-manager.io
+  path: spec/commonName
+- kind: Certificate
+  group: cert-manager.io
+  path: spec/dnsNames
+- kind: Certificate
+  group: cert-manager.io
+  path: spec/secretName
diff --git a/manifests/function/capd/v0.3.7/webhook/kustomization.yaml b/manifests/function/capd/v0.3.7/webhook/kustomization.yaml
index 30aaf2a9f..ec4e28426 100644
--- a/manifests/function/capd/v0.3.7/webhook/kustomization.yaml
+++ b/manifests/function/capd/v0.3.7/webhook/kustomization.yaml
@@ -5,7 +5,7 @@ namespace: capd-system
 resources:
 - manifests.yaml
 - service.yaml
-- ../../../certmanager
+- ../certmanager
 - ../manager
 
 patchesStrategicMerge:
diff --git a/manifests/function/certmanager/certificate.yaml b/manifests/function/capi/v0.3.3/certmanager/certificate.yaml
similarity index 100%
rename from manifests/function/certmanager/certificate.yaml
rename to manifests/function/capi/v0.3.3/certmanager/certificate.yaml
diff --git a/manifests/function/certmanager/kustomization.yaml b/manifests/function/capi/v0.3.3/certmanager/kustomization.yaml
similarity index 100%
rename from manifests/function/certmanager/kustomization.yaml
rename to manifests/function/capi/v0.3.3/certmanager/kustomization.yaml
diff --git a/manifests/function/capi/v0.3.3/certmanager/kustomizeconfig.yaml b/manifests/function/capi/v0.3.3/certmanager/kustomizeconfig.yaml
new file mode 100644
index 000000000..28a895a40
--- /dev/null
+++ b/manifests/function/capi/v0.3.3/certmanager/kustomizeconfig.yaml
@@ -0,0 +1,19 @@
+# This configuration is for teaching kustomize how to update name ref and var substitution
+nameReference:
+- kind: Issuer
+  group: cert-manager.io
+  fieldSpecs:
+  - kind: Certificate
+    group: cert-manager.io
+    path: spec/issuerRef/name
+
+varReference:
+- kind: Certificate
+  group: cert-manager.io
+  path: spec/commonName
+- kind: Certificate
+  group: cert-manager.io
+  path: spec/dnsNames
+- kind: Certificate
+  group: cert-manager.io
+  path: spec/secretName
diff --git a/manifests/function/capi/v0.3.3/webhook/kustomization.yaml b/manifests/function/capi/v0.3.3/webhook/kustomization.yaml
index 75997036c..64f3d36b8 100644
--- a/manifests/function/capi/v0.3.3/webhook/kustomization.yaml
+++ b/manifests/function/capi/v0.3.3/webhook/kustomization.yaml
@@ -4,7 +4,7 @@ resources:
 - namespace.yaml
 - manifests.yaml
 - service.yaml
-- ../../../certmanager
+- ../certmanager
 - ../manager
 
 configurations:
diff --git a/manifests/function/capi/v0.3.7/certmanager/certificate.yaml b/manifests/function/capi/v0.3.7/certmanager/certificate.yaml
new file mode 100644
index 000000000..af4e13ffe
--- /dev/null
+++ b/manifests/function/capi/v0.3.7/certmanager/certificate.yaml
@@ -0,0 +1,24 @@
+# The following manifests contain a self-signed issuer CR and a certificate CR.
+# More document can be found at https://docs.cert-manager.io
+apiVersion: cert-manager.io/v1alpha2
+kind: Issuer
+metadata:
+  name: selfsigned-issuer
+  namespace: system
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1alpha2
+kind: Certificate
+metadata:
+  name: serving-cert  # this name should match the one appeared in kustomizeconfig.yaml
+  namespace: system
+spec:
+  # $(SERVICE_NAME) and $(SERVICE_NAMESPACE) will be substituted by kustomize
+  dnsNames:
+  - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc
+  - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc.cluster.local
+  issuerRef:
+    kind: Issuer
+    name: selfsigned-issuer
+  secretName: $(SERVICE_NAME)-cert # this secret will not be prefixed, since it's not managed by kustomize
diff --git a/manifests/function/capi/v0.3.7/certmanager/kustomization.yaml b/manifests/function/capi/v0.3.7/certmanager/kustomization.yaml
new file mode 100644
index 000000000..e0182475f
--- /dev/null
+++ b/manifests/function/capi/v0.3.7/certmanager/kustomization.yaml
@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- certificate.yaml
+
+configurations:
+- kustomizeconfig.yaml
diff --git a/manifests/function/capi/v0.3.7/certmanager/kustomizeconfig.yaml b/manifests/function/capi/v0.3.7/certmanager/kustomizeconfig.yaml
new file mode 100644
index 000000000..28a895a40
--- /dev/null
+++ b/manifests/function/capi/v0.3.7/certmanager/kustomizeconfig.yaml
@@ -0,0 +1,19 @@
+# This configuration is for teaching kustomize how to update name ref and var substitution
+nameReference:
+- kind: Issuer
+  group: cert-manager.io
+  fieldSpecs:
+  - kind: Certificate
+    group: cert-manager.io
+    path: spec/issuerRef/name
+
+varReference:
+- kind: Certificate
+  group: cert-manager.io
+  path: spec/commonName
+- kind: Certificate
+  group: cert-manager.io
+  path: spec/dnsNames
+- kind: Certificate
+  group: cert-manager.io
+  path: spec/secretName
diff --git a/manifests/function/capi/v0.3.7/webhook/kustomization.yaml b/manifests/function/capi/v0.3.7/webhook/kustomization.yaml
index 75997036c..64f3d36b8 100644
--- a/manifests/function/capi/v0.3.7/webhook/kustomization.yaml
+++ b/manifests/function/capi/v0.3.7/webhook/kustomization.yaml
@@ -4,7 +4,7 @@ resources:
 - namespace.yaml
 - manifests.yaml
 - service.yaml
-- ../../../certmanager
+- ../certmanager
 - ../manager
 
 configurations:
diff --git a/manifests/function/capm3/v0.3.1/certmanager/certificate.yaml b/manifests/function/capm3/v0.3.1/certmanager/certificate.yaml
new file mode 100644
index 000000000..af4e13ffe
--- /dev/null
+++ b/manifests/function/capm3/v0.3.1/certmanager/certificate.yaml
@@ -0,0 +1,24 @@
+# The following manifests contain a self-signed issuer CR and a certificate CR.
+# More document can be found at https://docs.cert-manager.io
+apiVersion: cert-manager.io/v1alpha2
+kind: Issuer
+metadata:
+  name: selfsigned-issuer
+  namespace: system
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1alpha2
+kind: Certificate
+metadata:
+  name: serving-cert  # this name should match the one appeared in kustomizeconfig.yaml
+  namespace: system
+spec:
+  # $(SERVICE_NAME) and $(SERVICE_NAMESPACE) will be substituted by kustomize
+  dnsNames:
+  - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc
+  - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc.cluster.local
+  issuerRef:
+    kind: Issuer
+    name: selfsigned-issuer
+  secretName: $(SERVICE_NAME)-cert # this secret will not be prefixed, since it's not managed by kustomize
diff --git a/manifests/function/capm3/v0.3.1/certmanager/kustomization.yaml b/manifests/function/capm3/v0.3.1/certmanager/kustomization.yaml
new file mode 100644
index 000000000..e0182475f
--- /dev/null
+++ b/manifests/function/capm3/v0.3.1/certmanager/kustomization.yaml
@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- certificate.yaml
+
+configurations:
+- kustomizeconfig.yaml
diff --git a/manifests/function/capm3/v0.3.1/certmanager/kustomizeconfig.yaml b/manifests/function/capm3/v0.3.1/certmanager/kustomizeconfig.yaml
new file mode 100644
index 000000000..28a895a40
--- /dev/null
+++ b/manifests/function/capm3/v0.3.1/certmanager/kustomizeconfig.yaml
@@ -0,0 +1,19 @@
+# This configuration is for teaching kustomize how to update name ref and var substitution
+nameReference:
+- kind: Issuer
+  group: cert-manager.io
+  fieldSpecs:
+  - kind: Certificate
+    group: cert-manager.io
+    path: spec/issuerRef/name
+
+varReference:
+- kind: Certificate
+  group: cert-manager.io
+  path: spec/commonName
+- kind: Certificate
+  group: cert-manager.io
+  path: spec/dnsNames
+- kind: Certificate
+  group: cert-manager.io
+  path: spec/secretName
diff --git a/manifests/function/capm3/v0.3.1/webhook/kustomization.yaml b/manifests/function/capm3/v0.3.1/webhook/kustomization.yaml
index a39111141..edd5cc7ac 100644
--- a/manifests/function/capm3/v0.3.1/webhook/kustomization.yaml
+++ b/manifests/function/capm3/v0.3.1/webhook/kustomization.yaml
@@ -3,7 +3,7 @@ namespace: capi-webhook-system
 resources:
 - manifests.yaml
 - service.yaml
-- ../../../certmanager
+- ../certmanager
 - ../manager
 
 configurations:
diff --git a/manifests/function/capm3/v0.3.2/certmanager/certificate.yaml b/manifests/function/capm3/v0.3.2/certmanager/certificate.yaml
new file mode 100644
index 000000000..af4e13ffe
--- /dev/null
+++ b/manifests/function/capm3/v0.3.2/certmanager/certificate.yaml
@@ -0,0 +1,24 @@
+# The following manifests contain a self-signed issuer CR and a certificate CR.
+# More document can be found at https://docs.cert-manager.io
+apiVersion: cert-manager.io/v1alpha2
+kind: Issuer
+metadata:
+  name: selfsigned-issuer
+  namespace: system
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1alpha2
+kind: Certificate
+metadata:
+  name: serving-cert  # this name should match the one appeared in kustomizeconfig.yaml
+  namespace: system
+spec:
+  # $(SERVICE_NAME) and $(SERVICE_NAMESPACE) will be substituted by kustomize
+  dnsNames:
+  - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc
+  - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc.cluster.local
+  issuerRef:
+    kind: Issuer
+    name: selfsigned-issuer
+  secretName: $(SERVICE_NAME)-cert # this secret will not be prefixed, since it's not managed by kustomize
diff --git a/manifests/function/capm3/v0.3.2/certmanager/kustomization.yaml b/manifests/function/capm3/v0.3.2/certmanager/kustomization.yaml
new file mode 100644
index 000000000..e0182475f
--- /dev/null
+++ b/manifests/function/capm3/v0.3.2/certmanager/kustomization.yaml
@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- certificate.yaml
+
+configurations:
+- kustomizeconfig.yaml
diff --git a/manifests/function/capm3/v0.3.2/certmanager/kustomizeconfig.yaml b/manifests/function/capm3/v0.3.2/certmanager/kustomizeconfig.yaml
new file mode 100644
index 000000000..28a895a40
--- /dev/null
+++ b/manifests/function/capm3/v0.3.2/certmanager/kustomizeconfig.yaml
@@ -0,0 +1,19 @@
+# This configuration is for teaching kustomize how to update name ref and var substitution
+nameReference:
+- kind: Issuer
+  group: cert-manager.io
+  fieldSpecs:
+  - kind: Certificate
+    group: cert-manager.io
+    path: spec/issuerRef/name
+
+varReference:
+- kind: Certificate
+  group: cert-manager.io
+  path: spec/commonName
+- kind: Certificate
+  group: cert-manager.io
+  path: spec/dnsNames
+- kind: Certificate
+  group: cert-manager.io
+  path: spec/secretName
diff --git a/manifests/function/capm3/v0.3.2/webhook/kustomization.yaml b/manifests/function/capm3/v0.3.2/webhook/kustomization.yaml
index a39111141..edd5cc7ac 100644
--- a/manifests/function/capm3/v0.3.2/webhook/kustomization.yaml
+++ b/manifests/function/capm3/v0.3.2/webhook/kustomization.yaml
@@ -3,7 +3,7 @@ namespace: capi-webhook-system
 resources:
 - manifests.yaml
 - service.yaml
-- ../../../certmanager
+- ../certmanager
 - ../manager
 
 configurations:
diff --git a/manifests/function/capz/v0.4.8/certmanager/certificate.yaml b/manifests/function/capz/v0.4.8/certmanager/certificate.yaml
new file mode 100644
index 000000000..2c0e245ed
--- /dev/null
+++ b/manifests/function/capz/v0.4.8/certmanager/certificate.yaml
@@ -0,0 +1,24 @@
+# The following manifests contain a self-signed issuer CR and a certificate CR.
+# More document can be found at https://docs.cert-manager.io
+apiVersion: cert-manager.io/v1alpha2
+kind: Issuer
+metadata:
+  name: selfsigned-issuer
+  namespace: system
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1alpha2
+kind: Certificate
+metadata:
+  name: serving-cert # this name should match the one appeared in kustomizeconfig.yaml
+  namespace: system
+spec:
+  # $(SERVICE_NAME) and $(SERVICE_NAMESPACE) will be substituted by kustomize
+  dnsNames:
+    - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc
+    - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc.cluster.local
+  issuerRef:
+    kind: Issuer
+    name: selfsigned-issuer
+  secretName: $(SERVICE_NAME)-cert
diff --git a/manifests/function/capz/v0.4.8/certmanager/kustomization.yaml b/manifests/function/capz/v0.4.8/certmanager/kustomization.yaml
new file mode 100644
index 000000000..34e7e5b12
--- /dev/null
+++ b/manifests/function/capz/v0.4.8/certmanager/kustomization.yaml
@@ -0,0 +1,4 @@
+resources:
+  - certificate.yaml
+configurations:
+  - kustomizeconfig.yaml
diff --git a/manifests/function/capz/v0.4.8/certmanager/kustomizeconfig.yaml b/manifests/function/capz/v0.4.8/certmanager/kustomizeconfig.yaml
new file mode 100644
index 000000000..c6a6c0f1e
--- /dev/null
+++ b/manifests/function/capz/v0.4.8/certmanager/kustomizeconfig.yaml
@@ -0,0 +1,19 @@
+# This configuration is for teaching kustomize how to update name ref and var substitution
+nameReference:
+  - kind: Issuer
+    group: cert-manager.io
+    fieldSpecs:
+      - kind: Certificate
+        group: cert-manager.io
+        path: spec/issuerRef/name
+
+varReference:
+  - kind: Certificate
+    group: cert-manager.io
+    path: spec/commonName
+  - kind: Certificate
+    group: cert-manager.io
+    path: spec/dnsNames
+  - kind: Certificate
+    group: cert-manager.io
+    path: spec/secretName
diff --git a/manifests/function/capz/v0.4.8/webhook/kustomization.yaml b/manifests/function/capz/v0.4.8/webhook/kustomization.yaml
index 72270658b..309802cbc 100644
--- a/manifests/function/capz/v0.4.8/webhook/kustomization.yaml
+++ b/manifests/function/capz/v0.4.8/webhook/kustomization.yaml
@@ -3,7 +3,7 @@ namespace: capi-webhook-system
 resources:
   - manifests.yaml
   - service.yaml
-  - ../../../certmanager
+  - ../certmanager
   - ../manager
 
 configurations: