diff --git a/.junie/memory/language.json b/.junie/memory/language.json
index c3965f7..800d49d 100644
--- a/.junie/memory/language.json
+++ b/.junie/memory/language.json
@@ -1 +1 @@
-[{"lang":"en","usageCount":37}]
\ No newline at end of file
+[{"lang":"en","usageCount":39}]
\ No newline at end of file
diff --git a/internal/grpcserver/server.go b/internal/grpcserver/server.go
index 85666db..5cc93f9 100644
--- a/internal/grpcserver/server.go
+++ b/internal/grpcserver/server.go
@@ -126,6 +126,9 @@ func sealRequiredMethods() map[string]bool {
 		"/metacrypt.v2.CAService/GetCert":          true,
 		"/metacrypt.v2.CAService/ListCerts":        true,
 		"/metacrypt.v2.CAService/RenewCert":        true,
+		"/metacrypt.v2.CAService/SignCSR":          true,
+		"/metacrypt.v2.CAService/RevokeCert":       true,
+		"/metacrypt.v2.CAService/DeleteCert":       true,
 		"/metacrypt.v2.PolicyService/CreatePolicy": true,
 		"/metacrypt.v2.PolicyService/ListPolicies": true,
 		"/metacrypt.v2.PolicyService/GetPolicy":    true,
@@ -153,6 +156,9 @@ func authRequiredMethods() map[string]bool {
 		"/metacrypt.v2.CAService/GetCert":          true,
 		"/metacrypt.v2.CAService/ListCerts":        true,
 		"/metacrypt.v2.CAService/RenewCert":        true,
+		"/metacrypt.v2.CAService/SignCSR":          true,
+		"/metacrypt.v2.CAService/RevokeCert":       true,
+		"/metacrypt.v2.CAService/DeleteCert":       true,
 		"/metacrypt.v2.PolicyService/CreatePolicy": true,
 		"/metacrypt.v2.PolicyService/ListPolicies": true,
 		"/metacrypt.v2.PolicyService/GetPolicy":    true,
@@ -173,6 +179,8 @@ func adminRequiredMethods() map[string]bool {
 		"/metacrypt.v2.CAService/ImportRoot":       true,
 		"/metacrypt.v2.CAService/CreateIssuer":     true,
 		"/metacrypt.v2.CAService/DeleteIssuer":     true,
+		"/metacrypt.v2.CAService/RevokeCert":       true,
+		"/metacrypt.v2.CAService/DeleteCert":       true,
 		"/metacrypt.v2.PolicyService/CreatePolicy": true,
 		"/metacrypt.v2.PolicyService/DeletePolicy": true,
 		"/metacrypt.v2.ACMEService/SetConfig":      true,
diff --git a/internal/webserver/routes.go b/internal/webserver/routes.go
index 7f580a2..ba87941 100644
--- a/internal/webserver/routes.go
+++ b/internal/webserver/routes.go
@@ -479,6 +479,12 @@ func (ws *WebServer) handleIssuerDetail(w http.ResponseWriter, r *http.Request)
 }
 
 func (ws *WebServer) handleIssueCert(w http.ResponseWriter, r *http.Request) {
+	// Disable the server-wide write deadline for this handler: it streams a
+	// tgz response only after several serial gRPC calls, which can easily
+	// consume the 30 s WriteTimeout before we start writing.  We set our own
+	// 60 s deadline just before the write phase below.
+	_ = http.NewResponseController(w).SetWriteDeadline(time.Time{})
+
 	info := tokenInfoFromContext(r.Context())
 	token := extractCookie(r)