diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 779c59d..a8429b5 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -1,6 +1,13 @@
 on:
   workflow_call:
     inputs:
+      additional_certificate_arns:
+        # Arrays are not supported by Github resuable workflow inputs. It might be best to
+        #  move back to defining each environment workflow completely independently.
+        default: "[]"
+        description: "A set of additional ACM certificate ARNs to be assigned to the ALB listener."
+        required: false
+        type: string
       aws_region:
         description: The AWS region target for deployment
         required: true
@@ -64,6 +71,7 @@ jobs:
       - name: Terraform Apply
         run: |
           terraform apply -auto-approve \
+            -var="additional_certificate_arns=${{ inputs.additional_certificate_arns }}" \
             -var="aws_region=${{ inputs.aws_region }}" \
             -var="aws_replication_region=${{ inputs.aws_replication_region }}" \
             -var="dns_name=${{ inputs.dns_name }}" \
diff --git a/.github/workflows/production.yml b/.github/workflows/production.yml
index 3ee86ca..cc40776 100644
--- a/.github/workflows/production.yml
+++ b/.github/workflows/production.yml
@@ -26,7 +26,7 @@ jobs:
       aws_region: us-east-1
       aws_replication_region: us-west-2
       aws_s3_terraform_state_object_key: production.tfstate
-      dns_name: aws-ecs-demo.carlucci.network
+      dns_name: prod.aws-ecs-demo.carlucci.network
       environment_name: prod
       vpc_cidr_index: 0
     secrets:
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 36a4ee3..fc5c9c2 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,7 @@
+# 0.3.0
+
+* Additional ACM certificate assignment
+
 # 0.2.1
 
 * HOTFIX: Fix production dns_name in manifest
diff --git a/terraform/ec2.tf b/terraform/ec2.tf
index b76130e..66dae9a 100644
--- a/terraform/ec2.tf
+++ b/terraform/ec2.tf
@@ -96,3 +96,11 @@ resource "aws_lb_listener" "https" {
   port              = 443
   protocol          = "HTTPS"
 }
+
+# Support the assigment of external certificates by ARN
+resource "aws_lb_listener_certificate" "additional" {
+  for_each = var.additional_certificate_arns
+
+  listener_arn    = aws_lb_listener.https.arn
+  certificate_arn = each.value
+}
diff --git a/terraform/variables.tf b/terraform/variables.tf
index edda7ed..a5758af 100644
--- a/terraform/variables.tf
+++ b/terraform/variables.tf
@@ -1,3 +1,9 @@
+variable "additional_certificate_arns" {
+  default     = []
+  description = "A set of additional ACM certificate ARNs to be assigned to the ALB listener."
+  type        = set(string)
+}
+
 variable "aws_region" {
   default     = "us-east-1"
   description = "The AWS region name in which the main infrastructure should be deployed."