diff --git a/helm/aws-load-balancer-controller/templates/webhook.yaml b/helm/aws-load-balancer-controller/templates/webhook.yaml
index d57822061..69ce224eb 100644
--- a/helm/aws-load-balancer-controller/templates/webhook.yaml
+++ b/helm/aws-load-balancer-controller/templates/webhook.yaml
@@ -235,7 +235,7 @@ spec:
   - {{ template "aws-load-balancer-controller.webhookService" . }}.{{ .Release.Namespace }}.svc.{{ .Values.cluster.dnsDomain }}
   issuerRef:
     kind: Issuer
-    name: {{ template "aws-load-balancer-controller.namePrefix" . }}-selfsigned-issuer
+    name: {{ default (printf "%s-selfsigned-issuer" (include "aws-load-balancer-controller.namePrefix" .)) .Values.certManager.existingIssuerName }}
   secretName: {{ template "aws-load-balancer-controller.webhookCertSecret" . }}
   {{- with .Values.certManager -}}
   {{ if .duration }}
@@ -246,6 +246,7 @@ spec:
   {{- end }}
   {{- end }}
 ---
+{{- if not $.Values.certManager.existingIssuerName }}
 apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
@@ -256,3 +257,4 @@ metadata:
 spec:
   selfSigned: {}
 {{- end }}
+{{- end }}
diff --git a/helm/aws-load-balancer-controller/values.yaml b/helm/aws-load-balancer-controller/values.yaml
index 8eb1f19e8..eee3cd6ec 100644
--- a/helm/aws-load-balancer-controller/values.yaml
+++ b/helm/aws-load-balancer-controller/values.yaml
@@ -119,6 +119,9 @@ enableCertManager: false
 certManager:
   duration:
   renewBefore:
+  # name of the existing issuer to use for certificate requests
+  # when set, the controller will not create a self-signed issuer
+  existingIssuerName:
 
 # The name of the Kubernetes cluster. A non-empty value is required
 clusterName: