diff --git a/cmd/server/main.go b/cmd/server/main.go
index 568583f..0acd40c 100644
--- a/cmd/server/main.go
+++ b/cmd/server/main.go
@@ -329,7 +329,12 @@ func main() {
 	// counters get wired in Phase 8 when the Prometheus exposer reads
 	// them.
 	ocspResponseCacheRepo := postgres.NewOCSPResponseCacheRepository(db)
-	ocspResponseCacheService := service.NewOCSPResponseCacheService(ocspResponseCacheRepo, caOperationsSvc, nil, logger)
+	// Production hardening II Phase 8: share a single OCSPCounters
+	// instance between the cache service (Phase 2) and the Prometheus
+	// exposer (Phase 8) so the metrics endpoint reflects every counter
+	// tick that happens inside the cache service's hot path.
+	ocspCounters := service.NewOCSPCounters()
+	ocspResponseCacheService := service.NewOCSPResponseCacheService(ocspResponseCacheRepo, caOperationsSvc, ocspCounters, logger)
 	caOperationsSvc.SetOCSPCacheSvc(ocspResponseCacheService)
 	// Load-bearing security wire: invalidate the cache after a successful
 	// revocation so the next OCSP fetch returns "revoked" (not the stale
@@ -524,6 +529,11 @@ func main() {
 	notificationHandler := handler.NewNotificationHandler(notificationService)
 	statsHandler := handler.NewStatsHandler(statsService)
 	metricsHandler := handler.NewMetricsHandler(statsService, time.Now())
+	// Production hardening II Phase 8: wire the per-area counter
+	// snapshotters so the Prometheus exposer surfaces them. Operators
+	// alert on certctl_ocsp_counter_total{label="rate_limited"},
+	// {label="nonce_malformed"}, etc.
+	metricsHandler.SetOCSPCounters(ocspCounters)
 	// Bundle-5 / H-006: pass the *sql.DB pool so /ready can probe DB
 	// connectivity via PingContext. /health stays shallow (liveness signal).
 	healthHandler := handler.NewHealthHandler(cfg.Auth.Type, db)
diff --git a/internal/api/handler/metrics.go b/internal/api/handler/metrics.go
index ccc1909..8b7040a 100644
--- a/internal/api/handler/metrics.go
+++ b/internal/api/handler/metrics.go
@@ -15,12 +15,27 @@ type MetricsService interface {
 	GetDashboardSummary(ctx context.Context) (interface{}, error)
 }
 
+// CounterSnapshotter is the minimum surface MetricsHandler consumes
+// from a counter table for the Prometheus exposer. The OCSPCounters
+// type in internal/service satisfies this; future per-area counter
+// tabs (CRL, cert-export, EST, SCEP, Intune) plug in the same way.
+//
+// Production hardening II Phase 8.
+type CounterSnapshotter interface {
+	Snapshot() map[string]uint64
+}
+
 // MetricsHandler handles HTTP requests for metrics.
 // Supports both JSON format (GET /api/v1/metrics) and Prometheus exposition format
 // (GET /api/v1/metrics/prometheus) for integration with Prometheus, Grafana, Datadog, etc.
 type MetricsHandler struct {
 	svc           MetricsService
 	serverStarted time.Time
+	// Production hardening II Phase 8 — per-area counter snapshotters.
+	// nil values omit the corresponding metric block; cmd/server/main.go
+	// wires the instances at startup. The naming convention is
+	// certctl_<area>_<label>_total per frozen decision 0.10.
+	ocspCounters CounterSnapshotter
 }
 
 // NewMetricsHandler creates a new MetricsHandler with a service dependency.
@@ -32,6 +47,13 @@ func NewMetricsHandler(svc MetricsService, serverStarted time.Time) MetricsHandl
 	}
 }
 
+// SetOCSPCounters wires the OCSP counter table for the per-area
+// metric block in the Prometheus exposition. nil disables the block.
+// Production hardening II Phase 8.
+func (h *MetricsHandler) SetOCSPCounters(c CounterSnapshotter) {
+	h.ocspCounters = c
+}
+
 // MetricsResponse represents the JSON metrics response for V2.
 type MetricsResponse struct {
 	Gauge   MetricsGauge   `json:"gauge"`
@@ -222,6 +244,28 @@ func (h MetricsHandler) GetPrometheusMetrics(w http.ResponseWriter, r *http.Requ
 	fmt.Fprintf(w, "# HELP certctl_uptime_seconds Server uptime in seconds.\n")
 	fmt.Fprintf(w, "# TYPE certctl_uptime_seconds gauge\n")
 	fmt.Fprintf(w, "certctl_uptime_seconds %d\n", uptimeSeconds)
+
+	// Production hardening II Phase 8 — per-area counters. Each block
+	// is nil-guarded so a deploy without the wire still produces clean
+	// output (just the legacy dashboard metrics above). Naming
+	// convention: certctl_<area>_<label>_total per frozen decision
+	// 0.10.
+	if h.ocspCounters != nil {
+		fmt.Fprintf(w, "\n# HELP certctl_ocsp_counter_total OCSP responder per-event counters (production hardening II Phase 8).\n")
+		fmt.Fprintf(w, "# TYPE certctl_ocsp_counter_total counter\n")
+		snap := h.ocspCounters.Snapshot()
+		// Emit in a deterministic order so the output diff is stable
+		// across requests (helps operators spot drift in dashboard
+		// snapshots).
+		labels := []string{
+			"request_get", "request_post", "request_success", "request_invalid",
+			"issuer_not_found", "cert_not_found", "signing_failed",
+			"nonce_echoed", "nonce_malformed", "rate_limited",
+		}
+		for _, lbl := range labels {
+			fmt.Fprintf(w, "certctl_ocsp_counter_total{label=%q} %d\n", lbl, snap[lbl])
+		}
+	}
 }
 
 // DashboardSummary mirrors the service.DashboardSummary for JSON unmarshaling.