diff --git a/certificates-dns.md b/certificates-dns.md
index 0554eda..c584bec 100644
--- a/certificates-dns.md
+++ b/certificates-dns.md
@@ -10,10 +10,23 @@ name.
 * The certifcatce for xyz.example.com is requested/stored
 * All pods get access to the certificate, serve https
 
+## Certificate for a service [sketch]
+
+* Have one pod listening on port 80 / doing certbot from time to time
+  * The cert is stored as a configmap (?) or other volume
+* The application containers read the certificate
+  * ... and are restarted on ... ??
+* Job+Cronjob could do the job
+* Deletion of certificate?
+  * With the volume/configmap
+* Port 80 of the IP nginx with certbot webroot
+  * webroot shared with certbot container
+
 
 ## DNS
 
 * Could try to reuse existing CoreDNS
+  ** Maybe even via https://coredns.io/plugins/kubernetes/
 
 ## Letsencrypt / Certificates for services [WIP]
 
diff --git a/certificates/cert-for-service.yaml b/certificates/cert-for-service.yaml
new file mode 100644
index 0000000..82cd179
--- /dev/null
+++ b/certificates/cert-for-service.yaml
@@ -0,0 +1,32 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginxssl
+spec:
+  selector:
+    matchLabels:
+      app: nginxssl
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: nginxssl
+    spec:
+      containers:
+        - name: nginx
+          image: nginx:1.20.0-alpine
+          ports:
+            - containerPort: 443
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: etherpad
+  labels:
+    app: etherpadsooooolite
+spec:
+  type: ClusterIP
+  ports:
+   - port: 80
+  selector:
+   app: etherpadsooooolite