diff --git a/charts/openstack-hypervisor-operator/templates/deployment.yaml b/charts/openstack-hypervisor-operator/templates/deployment.yaml
index a4bda03..af49564 100644
--- a/charts/openstack-hypervisor-operator/templates/deployment.yaml
+++ b/charts/openstack-hypervisor-operator/templates/deployment.yaml
@@ -39,6 +39,8 @@ spec:
             secretKeyRef:
               key: SERVICE_PASSWORD
               name: {{ include "openstack-hypervisor-operator.fullname" . }}-secret
+        - name: CERTIFICATE_NAMESPACE
+          value: {{ quote .Values.controllerManager.manager.env.certificateNamespace }}
         - name: CERTIFICATE_ISSUER_NAME
           value: {{ quote .Values.controllerManager.manager.env.certificateIssuerName }}
         - name: LABEL_SELECTOR
diff --git a/charts/openstack-hypervisor-operator/values.yaml b/charts/openstack-hypervisor-operator/values.yaml
index 98cf8a3..23a2583 100644
--- a/charts/openstack-hypervisor-operator/values.yaml
+++ b/charts/openstack-hypervisor-operator/values.yaml
@@ -4,6 +4,7 @@ controllerManager:
     - --metrics-bind-address=:8443
     - --leader-elect
     - --health-probe-bind-address=:8081
+    - --certificate-namespace=$(CERTIFICATE_NAMESPACE)
     - --certificate-issuer-name=$(CERTIFICATE_ISSUER_NAME)
     - --label-selector=$(LABEL_SELECTOR)
     containerSecurityContext:
@@ -12,7 +13,8 @@ controllerManager:
         drop:
         - ALL
     env:
-      certificateIssuerName: ""
+      certificateIssuerName: nova-hypervisor-agents-ca-issuer
+      certificateNamespace: monsoon3
       labelSelector: ""
       osAuthUrl: ""
       osProjectDomainName: ""
diff --git a/cmd/main.go b/cmd/main.go
index 00eba06..20c3e8e 100644
--- a/cmd/main.go
+++ b/cmd/main.go
@@ -20,6 +20,7 @@ package main
 import (
 	"crypto/sha256"
 	"crypto/tls"
+	"errors"
 	"flag"
 	"fmt"
 	"os"
@@ -99,12 +100,23 @@ func main() {
 	flag.StringVar(&certificateIssuerName, "certificate-issuer-name", "nova-hypervisor-agents-ca-issuer",
 		"Name of the certificate issuer.")
 
+	if certificateIssuerName == "" {
+		setupLog.Error(errors.New("certificate-issuer-name cannot be empty"), "invalid certificate issuer name")
+		os.Exit(1)
+	}
+
+	if certificateNamespace == "" {
+		setupLog.Error(errors.New("certificate-namespace cannot be empty"), "invalid certificate namespace")
+		os.Exit(1)
+	}
+
 	opts := ctrlzap.Options{
 		Development:     true,
 		TimeEncoder:     zapcore.ISO8601TimeEncoder,
 		Encoder:         logger.NewSanitzeReconcileErrorEncoder(zap.NewDevelopmentEncoderConfig()),
 		StacktraceLevel: zap.DPanicLevel,
 	}
+
 	opts.BindFlags(flag.CommandLine)
 	flag.Parse()
 
diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
index 5641de6..9b55a9c 100644
--- a/config/manager/manager.yaml
+++ b/config/manager/manager.yaml
@@ -61,6 +61,7 @@ spec:
       - args:
           - --leader-elect
           - --health-probe-bind-address=:8081
+          - --certificate-namespace=$(CERTIFICATE_NAMESPACE)
           - --certificate-issuer-name=$(CERTIFICATE_ISSUER_NAME)
           - --label-selector=$(LABEL_SELECTOR)
         env:
@@ -75,7 +76,10 @@ spec:
               secretKeyRef:
                 name: secret
                 key: SERVICE_PASSWORD
+          - name: CERTIFICATE_NAMESPACE
+            value: "monsoon3"
           - name: CERTIFICATE_ISSUER_NAME
+            value: "nova-hypervisor-agents-ca-issuer"
           - name: LABEL_SELECTOR
         image: keppel.eu-de-1.cloud.sap/ccloud/openstack-hypervisor-operator:latest
         name: manager