diff --git a/loki-ca/README.md b/loki-ca/README.md
new file mode 100644
index 0000000..2e188af
--- /dev/null
+++ b/loki-ca/README.md
@@ -0,0 +1,24 @@
+# Private CA for Grafana Loki Client Authentication
+
+## Generate CA Key/Certificate
+
+```sh
+openssl genpkey -algorithm ED25519 -out loki-ca.key
+openssl req -new -config openssl.cnf -key loki-ca.key -x509 -out loki-ca.crt -days 3653
+```
+
+## Create SealedSecret
+
+```sh
+kubectl create secret tls -n cert-manager loki-ca --cert loki-ca.crt --key loki-ca.key --dry-run=client -o yaml | kubeseal -o yaml > secrets.yaml
+```
+
+_Note_: the SealedSecret is stored in the _cert-manager_ namespace since it is
+used by a ClusterIssuer.
+
+
+## Deploy
+
+```sh
+kubectl apply -f .
+```
diff --git a/loki-ca/loki-ca.crt b/loki-ca/loki-ca.crt
new file mode 100644
index 0000000..842c832
--- /dev/null
+++ b/loki-ca/loki-ca.crt
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBlDCCAUagAwIBAgIUGNZ/ASP8F2ytev3YplTk4jA5a2EwBQYDK2VwMEgxCzAJ
+BgNVBAYTAlVTMRgwFgYDVQQKDA9EdXN0aW4gQy4gSGF0Y2gxDTALBgNVBAsMBExv
+a2kxEDAOBgNVBAMMB0xva2kgQ0EwHhcNMjQwMjIwMTUwMTQxWhcNMzQwMjIwMTUw
+MTQxWjBIMQswCQYDVQQGEwJVUzEYMBYGA1UECgwPRHVzdGluIEMuIEhhdGNoMQ0w
+CwYDVQQLDARMb2tpMRAwDgYDVQQDDAdMb2tpIENBMCowBQYDK2VwAyEAnmMawEIo
+WfzFaLgpSiaPD+DHg28NHknMFcs7XpyTM9CjQjBAMB0GA1UdDgQWBBTFth3c4S/f
+y0BphQy9SucnKN2pLzASBgNVHRMBAf8ECDAGAQH/AgEAMAsGA1UdDwQEAwIBBjAF
+BgMrZXADQQCn0JWERsXdJA4kMM45ZXhVgAciwLNQ8ikoucsJcbWBp7bSMjcMVi51
+I+slotQvQES/vfqp/zZFNl7KKyeeQ0sD
+-----END CERTIFICATE-----
diff --git a/loki-ca/loki-ca.yaml b/loki-ca/loki-ca.yaml
new file mode 100644
index 0000000..efe1b13
--- /dev/null
+++ b/loki-ca/loki-ca.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: loki-ca
+
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: loki-ca
+spec:
+  ca:
+    secretName: loki-ca
diff --git a/loki-ca/openssl.cnf b/loki-ca/openssl.cnf
new file mode 100644
index 0000000..7804f48
--- /dev/null
+++ b/loki-ca/openssl.cnf
@@ -0,0 +1,17 @@
+[req]
+distinguished_name = root_ca_dn
+prompt = no
+default_md = sha512
+x509_extensions = root_ca
+string_mask = utf8only
+
+[root_ca_dn]
+countryName = US
+organizationName = Dustin C. Hatch
+organizationalUnitName = Loki
+commonName = Loki CA
+
+[root_ca]
+subjectKeyIdentifier = hash
+basicConstraints = critical,CA:true,pathlen:0
+keyUsage = cRLSign, keyCertSign
diff --git a/loki-ca/secrets.yaml b/loki-ca/secrets.yaml
new file mode 100644
index 0000000..153ae70
--- /dev/null
+++ b/loki-ca/secrets.yaml
@@ -0,0 +1,15 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: loki-ca
+  namespace: cert-manager
+spec:
+  encryptedData:
+    tls.crt: AgCAvqpGFq6pZYDF8DjUu0B9CrI9J0yLTgsjsbYeWVuIFU9ie/RsSkrccFdVg4od+Sd+NbIfw7eMA+ZiPIzqiW4IdMR4vXi1hmqfjl5n5MMRTPTfTfB/gOAVO3mNur2Fnutloo47ZueXA6JznMSqwPu6pAhypSIFwfgScF2EANkTBEWClxvF5U/RY4hlO6nbV56FPbGBvXE1ZCk5ejzLyY9ldz8rdt/T5VdioH82fX5rlzlGdKOyjYCOK81Flo59jwIRr5cLggd3/ddLn1xGaHORU/8PngWbHcyEI7lkByZ1cpFeG2kZ0DwceH9RLuhu1pS3FobYRGdt3QAGpGLQoNLJGsU5y43JwcyDA5qlQHhoszBRerDsi8vidNLiFD1X+85tGT2aInl4ysfL28w/koE6uo8GvUzp8d+NlK/P55MK4Xrtbu8NgSNKbBdaV0cLAxZpnyrJ5xqdkfmGEDxTltZ+XckMpEq2k0PrsrOfhCG9/xLN4vp0AISbxXFTEADhvz6ZCgxdndsnt3RW+CxAWGTslV9tY6GWSEWkG6P9/J5swetHTwRGJMWftUYHFY0C9rqZBJNKAInEDf3BA0fZelqMaQ2afZD+7upgO5Wst+hw6oGmVs555SoWSScIkdWTVQFBfvIatY/s0MH7v4LnSOEM61ZVPwXbL/GLKsVy6CcH/IOH7pKOlBK42mA9T0/QzRiA7ZAPj0yYslHhKPGqz90ojBv/ch3Y+142/IgrlWPr+xJvLYuU4AWRglthyFHjOpSkmFvH21MqzyRT+AxORJAsSepCCRz1hHx9KruC4M8iuQ9QEGZHsT+8IkWbWKo4AGllCEyF34jdMUuIYcon0e8+H3jPQvk4aM1X5d1V4ZfvqPswlcrxklGRMsT2wMEFpFXElHXwBgKTGD0FDTH7/DwMsioCmfz0hg/P5GsZ2ziNUqFC+/ngSWOPyuo6Jgt303tEbX8p972VMOtfFyqh2mR53jE2QeM9w0zgDKHxpAN6Pu5WLsj0N5VYBesLFsukEMUFlo+ltBvQO+AKv67E8B/LPPDbwViyEZFZoNPrffC9B2lhltVYfRtfuCjlPUMy5TVixugDxrqwA/6eQtIUOokSHb3GsDpdKjEKhs0KLqhkDU3A9BnrKhRbaOisMxPLuYUPMd8OVst515EZVwv+lKp74oY6UDk6bUAX34GkdVw7g6QO140WRqLkb4bjAjFcwsat1h06P5AcNDCrwAfnPFtxyicAnAi4Cq960j8+7bHnMdrY7aakKy5gIxlkwcHnUheg0wvh2TJH1juvDArVDh4TU9J76F3jKRL5YCJXq2Gg1NExOfUYKMpFE0MXjg2jemBwDpsczttdcs0zo0vnbYmS8wxhiawdnNuPtYZ0m/XxYlw9qocjfy8QCrs7eaK9F2BH0L5dIx894SPsv7nk3/jnENakcgpzU8aKrfCRfR+qEJfoQ7yg701qLfO709KUNjOWxa9r0QTxQS+TGVrvlqdEJ2lASlM6UOHqE7ZbmKHg
+    tls.key: AgACeNJFSJlXIzdU6DntcdHA1CZoSdi+CacD3pqMYJRyJDPlbFi06eaWNqPT08wIfh2QTternOewBt3jlsLtD3p5VF9GY1EtDNradEpK8POd2e44tMvQusA85rSM5iDwFKQDHswTcmxW/x/d5OnefydJnDaAifCycYYmvXtjJDrnQ1lJJ9oBxnS9y3mqTpQzrSNuVuC4JjpXzzCvx05CDFE6fDxkFwJoDWKPbaZD1wXfi0kbjAPlzANWzGHS/p/dSrMQvyCWiF/dVeMcXTCCgUyKfaZqDZCRgQh006d6+M4z0t2RHB3Jk59hPErhVOt8tHWHckuz3b2Ux/cisF89yl1zsh9WmNyCSRoArPet+lkx6GpS6/kJJ+z7qIHboJYEFA6+Vt+rG6knOIRGo7gnzc02URzGG0caaSorRUnD6sLteKkWHUccU9CFinbWQZloIfkKZMadIEQqhQJhcRAbN86tAUTntyVjSia4IXMRhGPtwJrdwZr57CCfkDkjSaxluWga9z5bxtoVIITYHaf1gHQ3J4YS8HCJdQFRtEjAqipm6BXYloujVE3dAHAb3l54ORW61lGLpJP6fKLLH6ZVJu65KulTdaokzuIzLY6xvoJtDKAlP1Y146OdowMWvlXitZ4kZLa0LT2jiN3FfaUrl4FnZEu1wC0vdu+nnbYLJ5WGHUnQLTQqHSMK/zW02W/cs2Tf8dbCvL8E5KL8dHPHHtC/8BH4f530pamEJDGdQuhMAZwJ1T8ohWHFG4XMT83pMqYChIlqlX8Yzd2RlNPlB1U0ROTftIYqx5Fd5DU4dxofydspBQaWbXLQ2fQF3k28zMNjSSZwyBL15nFf78hDGS3GeQ7W3YlpxA==
+  template:
+    metadata:
+      name: loki-ca
+      namespace: cert-manager
+    type: kubernetes.io/tls