diff --git a/pkg/cloud/services/iam/podidentitywebhook.go b/pkg/cloud/services/iam/podidentitywebhook.go
index 8901d6cd07..617e904d9c 100644
--- a/pkg/cloud/services/iam/podidentitywebhook.go
+++ b/pkg/cloud/services/iam/podidentitywebhook.go
@@ -3,6 +3,7 @@ package iam
 import (
 	"context"
 	"errors"
+	"fmt"
 
 	v14 "k8s.io/api/admissionregistration/v1"
 	v13 "k8s.io/api/apps/v1"
@@ -17,6 +18,8 @@ import (
 )
 
 const (
+	certManagerInjectCAAnnotation = "cert-manager.io/inject-ca-from"
+
 	podIdentityWebhookName  = "pod-identity-webhook"
 	podIdentityWebhookImage = "amazon/amazon-eks-pod-identity-webhook:v0.5.2"
 
@@ -323,6 +326,20 @@ func reconcileMutatingWebHook(ctx context.Context, ns string, secret *corev1.Sec
 	}
 
 	if check.UID != "" {
+		updateAnnotations := false
+		if len(check.Annotations) == 0 {
+			check.Annotations = map[string]string{
+				certManagerInjectCAAnnotation: fmt.Sprintf("%s/%s", ns, secret.Name),
+			}
+			updateAnnotations = true
+		} else if check.Annotations[certManagerInjectCAAnnotation] == "" {
+			check.Annotations[certManagerInjectCAAnnotation] = fmt.Sprintf("%s/%s", ns, secret.Name)
+			updateAnnotations = true
+		}
+
+		if updateAnnotations {
+			return remoteClient.Update(ctx, check)
+		}
 		return nil
 	}
 
@@ -332,6 +349,9 @@ func reconcileMutatingWebHook(ctx context.Context, ns string, secret *corev1.Sec
 	}
 
 	mwhMeta := objectMeta(podIdentityWebhookName, ns)
+	mwhMeta.Annotations = map[string]string{
+		certManagerInjectCAAnnotation: fmt.Sprintf("%s/%s", ns, secret.Name),
+	}
 	fail := v14.Ignore
 	none := v14.SideEffectClassNone
 	mutate := "/mutate"