diff --git a/charts/helm/checkmate/INSTALLATION.md b/charts/helm/checkmate/INSTALLATION.md
index 74e58c097..06cf9f7b9 100644
--- a/charts/helm/checkmate/INSTALLATION.md
+++ b/charts/helm/checkmate/INSTALLATION.md
@@ -87,6 +87,8 @@ You can also enable TLS during installation using Helm's `--set` flags:
 
 ```bash
 helm install checkmate ./charts/helm/checkmate \
+  --set client.protocol=https \
+  --set server.protocol=https \
   --set client.ingress.annotations."cert-manager\.io/cluster-issuer"="letsencrypt-prod" \
   --set client.ingress.tls.enabled=true \
   --set client.ingress.tls.secretName=checkmate-client-tls \
diff --git a/charts/helm/checkmate/templates/_prechecks.yaml b/charts/helm/checkmate/templates/_prechecks.yaml
deleted file mode 100644
index 235bc0b8f..000000000
--- a/charts/helm/checkmate/templates/_prechecks.yaml
+++ /dev/null
@@ -1,41 +0,0 @@
-{{- if eq .Values.client.ingress.host "change_me" }}
-  {{- fail "client.ingress.host must be overridden and not set to 'change_me'" }}
-{{- end }}
-
-{{- if eq .Values.server.ingress.host "change_me" }}
-  {{- fail "server.ingress.host must be overridden and not set to 'change_me'" }}
-{{- end }}
-
-{{- $serverProtocol := .Values.server.protocol }}
-{{- if not (or (eq $serverProtocol "http") (eq $serverProtocol "https")) }}
-  {{- fail "server.protocol must be either 'http' or 'https'" }}
-{{- end }}
-
-{{- $clientProtocol := .Values.client.protocol }}
-{{- if not (or (eq $clientProtocol "http") (eq $clientProtocol "https")) }}
-  {{- fail "client.protocol must be either 'http' or 'https'" }}
-{{- end }}
-
-{{/* Enforce protocol when TLS is enabled to avoid mixed-content */}}
-{{- if and .Values.client.ingress.tls.enabled (ne $clientProtocol "https") }}
-  {{- fail "client.ingress.tls.enabled is true but client.protocol is not 'https'. Set client.protocol: https to avoid mixed content." }}
-{{- end }}
-
-{{- if and .Values.server.ingress.tls.enabled (ne $serverProtocol "https") }}
-  {{- fail "server.ingress.tls.enabled is true but server.protocol is not 'https'. Set server.protocol: https to ensure correct API base URL." }}
-{{- end }}
-
-{{/* Fail early if TLS enabled without cert-manager annotations (cluster-issuer or issuer) */}}
-{{- $cAnn := .Values.client.ingress.annotations | default dict }}
-{{- $sAnn := .Values.server.ingress.annotations | default dict }}
-
-{{- $clientHasIssuer := or (hasKey $cAnn "cert-manager.io/cluster-issuer") (hasKey $cAnn "cert-manager.io/issuer") }}
-{{- $serverHasIssuer := or (hasKey $sAnn "cert-manager.io/cluster-issuer") (hasKey $sAnn "cert-manager.io/issuer") }}
-
-{{- if and .Values.client.ingress.tls.enabled (not $clientHasIssuer) }}
-  {{- fail "client.ingress.tls.enabled is true but no cert-manager issuer annotation found. Add 'cert-manager.io/cluster-issuer' or 'cert-manager.io/issuer'." }}
-{{- end }}
-
-{{- if and .Values.server.ingress.tls.enabled (not $serverHasIssuer) }}
-  {{- fail "server.ingress.tls.enabled is true but no cert-manager issuer annotation found. Add 'cert-manager.io/cluster-issuer' or 'cert-manager.io/issuer'." }}
-{{- end }}
diff --git a/charts/helm/checkmate/templates/client-ingress.yaml b/charts/helm/checkmate/templates/client-ingress.yaml
index 5965edfed..4fe126ea6 100644
--- a/charts/helm/checkmate/templates/client-ingress.yaml
+++ b/charts/helm/checkmate/templates/client-ingress.yaml
@@ -15,7 +15,7 @@ spec:
   tls:
     - hosts:
         - {{ .Values.client.ingress.host }}
-      secretName: {{ .Values.client.ingress.tls.secretName }}
+      secretName: {{ default (printf "%s-client-tls" .Release.Name) .Values.client.ingress.tls.secretName }}
   {{- end }}
   rules:
     - host: {{ .Values.client.ingress.host }}
diff --git a/charts/helm/checkmate/templates/prechecks.yaml b/charts/helm/checkmate/templates/prechecks.yaml
index d9264d60c..e2b9ec5c2 100644
--- a/charts/helm/checkmate/templates/prechecks.yaml
+++ b/charts/helm/checkmate/templates/prechecks.yaml
@@ -45,11 +45,4 @@
   {{- fail "server.ingress.tls.enabled is true but no cert-manager issuer annotation found. Add 'cert-manager.io/cluster-issuer' or 'cert-manager.io/issuer'." }}
 {{- end }}
 
-{{/* Secret name must be set when TLS is enabled (Ingress requires it) */}}
-{{- if and .Values.client.ingress.tls.enabled (not .Values.client.ingress.tls.secretName) }}
-  {{- fail "client.ingress.tls.enabled is true but client.ingress.tls.secretName is empty. Set a secretName for cert-manager to manage." }}
-{{- end }}
-
-{{- if and .Values.server.ingress.tls.enabled (not .Values.server.ingress.tls.secretName) }}
-  {{- fail "server.ingress.tls.enabled is true but server.ingress.tls.secretName is empty. Set a secretName for cert-manager to manage." }}
-{{- end }}
+{{/* Secret name can be omitted; we default to <release>-client|server-tls in templates */}}
diff --git a/charts/helm/checkmate/templates/server-ingress.yaml b/charts/helm/checkmate/templates/server-ingress.yaml
index 92201714a..34c9ac0dc 100644
--- a/charts/helm/checkmate/templates/server-ingress.yaml
+++ b/charts/helm/checkmate/templates/server-ingress.yaml
@@ -22,7 +22,7 @@ spec:
   tls:
     - hosts:
         - {{ .Values.server.ingress.host }}
-      secretName: {{ .Values.server.ingress.tls.secretName }}
+      secretName: {{ default (printf "%s-server-tls" .Release.Name) .Values.server.ingress.tls.secretName }}
   {{- end }}
   rules:
     - host: {{ .Values.server.ingress.host }}
diff --git a/charts/helm/checkmate/values.yaml b/charts/helm/checkmate/values.yaml
index 5ca09a007..9a586dd54 100644
--- a/charts/helm/checkmate/values.yaml
+++ b/charts/helm/checkmate/values.yaml
@@ -12,7 +12,7 @@ client:
     #   cert-manager.io/cluster-issuer: "letsencrypt-prod"
     tls:
       enabled: false
-      # secretName: checkmate-client-tls  # Uncomment and set if using TLS with cert-manager
+      # secretName: {{ .Release.Name }}-client-tls  # Optional; defaults to <release>-client-tls if omitted
       # Note: when enabling TLS, also set client.protocol: https and add
       # a cert-manager issuer annotation (e.g. cert-manager.io/cluster-issuer: "letsencrypt-prod").
       # The secret will be automatically created by cert-manager when using the cert-manager.io/cluster-issuer annotation
@@ -31,7 +31,7 @@ server:
     #   cert-manager.io/cluster-issuer: "letsencrypt-prod"
     tls:
       enabled: false
-      # secretName: checkmate-server-tls  # Uncomment and set if using TLS with cert-manager
+      # secretName: {{ .Release.Name }}-server-tls  # Optional; defaults to <release>-server-tls if omitted
       # Note: when enabling TLS, also set server.protocol: https and add
       # a cert-manager issuer annotation (e.g. cert-manager.io/cluster-issuer: "letsencrypt-prod").
       # The secret will be automatically created by cert-manager when using the cert-manager.io/cluster-issuer annotation