diff --git a/letsencrypt-staging-issuer.yaml b/letsencrypt-staging-issuer.yaml
new file mode 100644
index 0000000..9d14da0
--- /dev/null
+++ b/letsencrypt-staging-issuer.yaml
@@ -0,0 +1,17 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-staging
+spec:
+  acme:
+    # Let's Encrypt Staging server - no rate limits for testing
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    email: dvirlabs@gmail.com
+    privateKeySecretRef:
+      name: letsencrypt-staging-account-key
+    solvers:
+    - dns01:
+        cloudflare:
+          apiTokenSecretRef:
+            key: api-token
+            name: cloudflare-api-token
diff --git a/manifests/harbor/values.yaml b/manifests/harbor/values.yaml
index b084cbd..8fd42e6 100644
--- a/manifests/harbor/values.yaml
+++ b/manifests/harbor/values.yaml
@@ -12,8 +12,8 @@ expose:
   ingress:
     className: traefik
     annotations:
-      # cert-manager annotation - will create the certificate automatically
-      cert-manager.io/cluster-issuer: letsencrypt
+      # TEMPORARY: Using staging to avoid rate limits (switch back to 'letsencrypt' after March 23, 2026)
+      cert-manager.io/cluster-issuer: letsencrypt-staging
       # Traefik specific annotations for HTTPS routing
       traefik.ingress.kubernetes.io/router.entrypoints: websecure
       traefik.ingress.kubernetes.io/router.tls: "true"