diff --git a/k8s/charts/seaweedfs/templates/admin/admin-statefulset.yaml b/k8s/charts/seaweedfs/templates/admin/admin-statefulset.yaml
index 68a2d157d..208f73d18 100644
--- a/k8s/charts/seaweedfs/templates/admin/admin-statefulset.yaml
+++ b/k8s/charts/seaweedfs/templates/admin/admin-statefulset.yaml
@@ -203,6 +203,9 @@ spec:
             - name: client-cert
               readOnly: true
               mountPath: /usr/local/share/ca-certificates/client/
+            - name: admin-cert
+              readOnly: true
+              mountPath: /usr/local/share/ca-certificates/admin/
             {{- end }}
             {{ tpl .Values.admin.extraVolumeMounts . | nindent 12 | trim }}
           ports:
@@ -298,6 +301,9 @@ spec:
         - name: client-cert
           secret:
             secretName: {{ template "seaweedfs.name" . }}-client-cert
+        - name: admin-cert
+          secret:
+            secretName: {{ template "seaweedfs.name" . }}-admin-cert
         {{- end }}
         {{ tpl .Values.admin.extraVolumes . | indent 8 | trim }}
       {{- if .Values.admin.nodeSelector }}
diff --git a/k8s/charts/seaweedfs/templates/cert/admin-cert.yaml b/k8s/charts/seaweedfs/templates/cert/admin-cert.yaml
new file mode 100644
index 000000000..be5266019
--- /dev/null
+++ b/k8s/charts/seaweedfs/templates/cert/admin-cert.yaml
@@ -0,0 +1,43 @@
+{{- if and .Values.global.enableSecurity (not .Values.certificates.externalCertificates.enabled)}}
+apiVersion: cert-manager.io/v1{{ if .Values.global.certificates.alphacrds }}alpha1{{ end }}
+kind: Certificate
+metadata:
+  name: {{ template "seaweedfs.name" . }}-admin-cert
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ template "seaweedfs.name" . }}
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: admin
+  {{- if .Values.admin.annotations }}
+  annotations:
+    {{- toYaml .Values.admin.annotations | nindent 4 }}
+  {{- end }}
+spec:
+  secretName: {{ template "seaweedfs.name" . }}-admin-cert
+  issuerRef:
+    name: {{ template "seaweedfs.name" . }}-ca-issuer
+    kind: Issuer
+  commonName: {{ .Values.certificates.commonName }}
+  subject:
+    organizations:
+    - "SeaweedFS CA"
+  dnsNames:
+    - '*.{{ template "seaweedfs.name" . }}-admin'
+    - '*.{{ template "seaweedfs.name" . }}-admin.{{ .Release.Namespace }}'
+    - '*.{{ template "seaweedfs.name" . }}-admin.{{ .Release.Namespace }}.svc'
+    - '*.{{ template "seaweedfs.name" . }}-admin.{{ .Release.Namespace }}.svc.cluster.local'
+{{- if .Values.certificates.ipAddresses }}
+  ipAddresses:
+    {{- range .Values.certificates.ipAddresses }}
+    - {{ . }}
+    {{- end }}
+{{- end }}
+  privateKey:
+    algorithm: {{ .Values.certificates.keyAlgorithm }}
+    size: {{ .Values.certificates.keySize }}
+  duration: {{ .Values.certificates.duration }}
+  renewBefore: {{ .Values.certificates.renewBefore }}
+{{- end }}
+
diff --git a/k8s/charts/seaweedfs/templates/cert/worker-cert.yaml b/k8s/charts/seaweedfs/templates/cert/worker-cert.yaml
new file mode 100644
index 000000000..85edeb336
--- /dev/null
+++ b/k8s/charts/seaweedfs/templates/cert/worker-cert.yaml
@@ -0,0 +1,43 @@
+{{- if and .Values.global.enableSecurity (not .Values.certificates.externalCertificates.enabled)}}
+apiVersion: cert-manager.io/v1{{ if .Values.global.certificates.alphacrds }}alpha1{{ end }}
+kind: Certificate
+metadata:
+  name: {{ template "seaweedfs.name" . }}-worker-cert
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ template "seaweedfs.name" . }}
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: worker
+  {{- if .Values.worker.annotations }}
+  annotations:
+    {{- toYaml .Values.worker.annotations | nindent 4 }}
+  {{- end }}
+spec:
+  secretName: {{ template "seaweedfs.name" . }}-worker-cert
+  issuerRef:
+    name: {{ template "seaweedfs.name" . }}-ca-issuer
+    kind: Issuer
+  commonName: {{ .Values.certificates.commonName }}
+  subject:
+    organizations:
+    - "SeaweedFS CA"
+  dnsNames:
+    - '*.{{ template "seaweedfs.name" . }}-worker'
+    - '*.{{ template "seaweedfs.name" . }}-worker.{{ .Release.Namespace }}'
+    - '*.{{ template "seaweedfs.name" . }}-worker.{{ .Release.Namespace }}.svc'
+    - '*.{{ template "seaweedfs.name" . }}-worker.{{ .Release.Namespace }}.svc.cluster.local'
+{{- if .Values.certificates.ipAddresses }}
+  ipAddresses:
+    {{- range .Values.certificates.ipAddresses }}
+    - {{ . }}
+    {{- end }}
+{{- end }}
+  privateKey:
+    algorithm: {{ .Values.certificates.keyAlgorithm }}
+    size: {{ .Values.certificates.keySize }}
+  duration: {{ .Values.certificates.duration }}
+  renewBefore: {{ .Values.certificates.renewBefore }}
+{{- end }}
+
diff --git a/k8s/charts/seaweedfs/templates/shared/security-configmap.yaml b/k8s/charts/seaweedfs/templates/shared/security-configmap.yaml
index 6f229c595..f7fb69ea4 100644
--- a/k8s/charts/seaweedfs/templates/shared/security-configmap.yaml
+++ b/k8s/charts/seaweedfs/templates/shared/security-configmap.yaml
@@ -65,6 +65,14 @@ data:
     cert = "/usr/local/share/ca-certificates/filer/tls.crt"
     key  = "/usr/local/share/ca-certificates/filer/tls.key"
 
+    [grpc.admin]
+    cert = "/usr/local/share/ca-certificates/admin/tls.crt"
+    key  = "/usr/local/share/ca-certificates/admin/tls.key"
+
+    [grpc.worker]
+    cert = "/usr/local/share/ca-certificates/worker/tls.crt"
+    key  = "/usr/local/share/ca-certificates/worker/tls.key"
+
     # use this for any place needs a grpc client
     # i.e., "weed backup|benchmark|filer.copy|filer.replicate|mount|s3|upload"
     [grpc.client]
diff --git a/k8s/charts/seaweedfs/templates/worker/worker-deployment.yaml b/k8s/charts/seaweedfs/templates/worker/worker-deployment.yaml
index 45e8ba65c..60f608702 100644
--- a/k8s/charts/seaweedfs/templates/worker/worker-deployment.yaml
+++ b/k8s/charts/seaweedfs/templates/worker/worker-deployment.yaml
@@ -171,6 +171,9 @@ spec:
             - name: client-cert
               readOnly: true
               mountPath: /usr/local/share/ca-certificates/client/
+            - name: worker-cert
+              readOnly: true
+              mountPath: /usr/local/share/ca-certificates/worker/
             {{- end }}
             {{ tpl .Values.worker.extraVolumeMounts . | nindent 12 | trim }}
           ports:
@@ -262,6 +265,9 @@ spec:
         - name: client-cert
           secret:
             secretName: {{ template "seaweedfs.name" . }}-client-cert
+        - name: worker-cert
+          secret:
+            secretName: {{ template "seaweedfs.name" . }}-worker-cert
         {{- end }}
         {{ tpl .Values.worker.extraVolumes . | indent 8 | trim }}
       {{- if .Values.worker.nodeSelector }}