diff --git a/charts/spark-operator-chart/Chart.yaml b/charts/spark-operator-chart/Chart.yaml
index dde1fae41..eceef8b99 100644
--- a/charts/spark-operator-chart/Chart.yaml
+++ b/charts/spark-operator-chart/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v2
 name: spark-operator
 description: A Helm chart for Spark on Kubernetes operator
-version: 1.1.25
+version: 1.1.26
 appVersion: v1beta2-1.3.7-3.1.1
 keywords:
   - spark
diff --git a/charts/spark-operator-chart/templates/cert-manager-certificate.yaml b/charts/spark-operator-chart/templates/cert-manager-certificate.yaml
new file mode 100644
index 000000000..c19229782
--- /dev/null
+++ b/charts/spark-operator-chart/templates/cert-manager-certificate.yaml
@@ -0,0 +1,28 @@
+{{- $webhookSvc := printf "%s-webhook.%s" (include "spark-operator.fullname" .) .Release.Namespace -}}
+{{- if and .Values.webhook.enable .Values.webhook.certManager.enable }}
+apiVersion: cert-manager.io/v1alpha3
+kind: Certificate
+metadata:
+  name: {{ include "spark-operator.fullname" . }}-webhook-cert
+  labels:
+    {{- include "spark-operator.labels" . | nindent 4 }}
+spec:
+  dnsNames:
+    - {{ $webhookSvc }}.svc
+    - {{ $webhookSvc }}.svc.cluster.local
+  duration: 87600h0m0s
+  {{- if .Values.webhook.certManager.issuerRef }}
+  issuerRef: {{ toYaml .Values.webhook.certManager.issuerRef | nindent 4 }}
+  {{- else }}
+    {{ fail "webhook.certManager.issuerRef is required when certManager is enabled"}}
+  {{- end }}
+  renewBefore: {{ .Values.webhook.certManager.expiration }}
+  secretName: {{ include "spark-operator.fullname" . }}-webhook-certs
+  subject:
+    organizationalUnits:
+      - {{ include "spark-operator.fullname" . }}
+  usages:
+    # All Server TLS certs need to be created with "server auth" usage!
+    - server auth
+    - client auth
+{{- end }}
diff --git a/charts/spark-operator-chart/templates/deployment.yaml b/charts/spark-operator-chart/templates/deployment.yaml
index 127a2dd5e..449b81439 100644
--- a/charts/spark-operator-chart/templates/deployment.yaml
+++ b/charts/spark-operator-chart/templates/deployment.yaml
@@ -79,6 +79,11 @@ spec:
         - -webhook-svc-name={{ include "spark-operator.fullname" . }}-webhook
         - -webhook-config-name={{ include "spark-operator.fullname" . }}-webhook-config
         - -webhook-namespace-selector={{ .Values.webhook.namespaceSelector }}
+          {{- if .Values.webhook.certManager.enable }}
+        - -webhook-server-cert=/etc/webhook-certs/tls.crt
+        - -webhook-server-cert-key=/etc/webhook-certs/tls.key
+        - -webhook-ca-cert=/etc/webhook-certs/ca.crt
+          {{- end }}
         {{- end }}
         - -enable-resource-quota-enforcement={{ .Values.resourceQuotaEnforcement.enable }}
         {{- if gt (int .Values.replicaCount) 1 }}
diff --git a/charts/spark-operator-chart/templates/webhook-cleanup-job.yaml b/charts/spark-operator-chart/templates/webhook-cleanup-job.yaml
index 0ab1350d0..535df3461 100644
--- a/charts/spark-operator-chart/templates/webhook-cleanup-job.yaml
+++ b/charts/spark-operator-chart/templates/webhook-cleanup-job.yaml
@@ -1,4 +1,5 @@
 {{ if .Values.webhook.enable }}
+{{ if not .Values.webhook.certManager }}
 apiVersion: batch/v1
 kind: Job
 metadata:
@@ -54,3 +55,4 @@ spec:
       nodeSelector:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+{{- end }}
diff --git a/charts/spark-operator-chart/templates/webhook-init-job.yaml b/charts/spark-operator-chart/templates/webhook-init-job.yaml
index 10fab8f5e..96ab1b5cf 100644
--- a/charts/spark-operator-chart/templates/webhook-init-job.yaml
+++ b/charts/spark-operator-chart/templates/webhook-init-job.yaml
@@ -1,4 +1,5 @@
 {{ if .Values.webhook.enable }}
+{{ if not .Values.webhook.certManager }}
 apiVersion: batch/v1
 kind: Job
 metadata:
@@ -44,3 +45,4 @@ spec:
       nodeSelector:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+{{- end }}
diff --git a/charts/spark-operator-chart/values.yaml b/charts/spark-operator-chart/values.yaml
index 891b45f6b..6b0972f36 100644
--- a/charts/spark-operator-chart/values.yaml
+++ b/charts/spark-operator-chart/values.yaml
@@ -98,6 +98,14 @@ webhook:
     "helm.sh/hook-delete-policy": hook-succeeded
     # -- Webhook Timeout in seconds
   timeout: 30
+  # certManager, uses cert-manager to handle self-signed certificates
+  # `issuerRef` is required
+  certManager:
+    enable: false
+    expiration: 720h0m0s
+    issuerRef: {}
+      # name: selfsigned
+      # kind: ClusterIssuer
 
 metrics:
   # -- Enable prometheus metric scraping