diff --git a/apis/v1alpha1/ack-generate-metadata.yaml b/apis/v1alpha1/ack-generate-metadata.yaml
index e1a0164..9808135 100755
--- a/apis/v1alpha1/ack-generate-metadata.yaml
+++ b/apis/v1alpha1/ack-generate-metadata.yaml
@@ -1,8 +1,8 @@
 ack_generate_info:
-  build_date: "2024-07-26T15:20:01Z"
-  build_hash: e8ec3d013609c4f72464df94830e00dcf2a09a81
+  build_date: "2024-08-06T02:51:25Z"
+  build_hash: 587b90dc860e91ee9a763e9e3bc4d3f1b2fbddb7
   go_version: go1.22.5
-  version: v0.35.0-1-ge8ec3d0
+  version: v0.36.0
 api_directory_checksum: 14ee2b48df20458271bcddc87436760812fd6ccd
 api_version: v1alpha1
 aws_sdk_go_version: v1.49.6
diff --git a/config/controller/kustomization.yaml b/config/controller/kustomization.yaml
index e44b43d..f3ea95e 100644
--- a/config/controller/kustomization.yaml
+++ b/config/controller/kustomization.yaml
@@ -6,4 +6,4 @@ kind: Kustomization
 images:
 - name: controller
   newName: public.ecr.aws/aws-controllers-k8s/acmpca-controller
-  newTag: 0.0.16
+  newTag: 0.0.17
diff --git a/config/crd/bases/acmpca.services.k8s.aws_certificateauthorityactivations.yaml b/config/crd/bases/acmpca.services.k8s.aws_certificateauthorityactivations.yaml
index 1efc003..2f9c805 100644
--- a/config/crd/bases/acmpca.services.k8s.aws_certificateauthorityactivations.yaml
+++ b/config/crd/bases/acmpca.services.k8s.aws_certificateauthorityactivations.yaml
@@ -83,6 +83,8 @@ spec:
                     properties:
                       name:
                         type: string
+                      namespace:
+                        type: string
                     type: object
                 type: object
               certificateChain:
diff --git a/config/crd/bases/acmpca.services.k8s.aws_certificates.yaml b/config/crd/bases/acmpca.services.k8s.aws_certificates.yaml
index 61df283..28b7215 100644
--- a/config/crd/bases/acmpca.services.k8s.aws_certificates.yaml
+++ b/config/crd/bases/acmpca.services.k8s.aws_certificates.yaml
@@ -299,6 +299,8 @@ spec:
                     properties:
                       name:
                         type: string
+                      namespace:
+                        type: string
                     type: object
                 type: object
               certificateSigningRequest:
@@ -316,6 +318,8 @@ spec:
                     properties:
                       name:
                         type: string
+                      namespace:
+                        type: string
                     type: object
                 type: object
               signingAlgorithm:
diff --git a/go.mod b/go.mod
index 3e10d99..8ae0072 100644
--- a/go.mod
+++ b/go.mod
@@ -5,7 +5,7 @@ go 1.22.0
 toolchain go1.22.5
 
 require (
-	github.com/aws-controllers-k8s/runtime v0.35.0
+	github.com/aws-controllers-k8s/runtime v0.36.0
 	github.com/aws/aws-sdk-go v1.49.6
 	github.com/go-logr/logr v1.4.1
 	github.com/spf13/pflag v1.0.5
diff --git a/go.sum b/go.sum
index 2128f10..45b5329 100644
--- a/go.sum
+++ b/go.sum
@@ -1,5 +1,5 @@
-github.com/aws-controllers-k8s/runtime v0.35.0 h1:kLRLFOAcaFJRv/aEiWtb0qhlxFpwvmx6shCWNc1Tuas=
-github.com/aws-controllers-k8s/runtime v0.35.0/go.mod h1:gI2pWb20UGLP2SnHf1a1VzTd7iVVy+/I9VAzT0Y+Dew=
+github.com/aws-controllers-k8s/runtime v0.36.0 h1:XEMVGfUwsT9QMShihuCLHlape+daJWyYtXj45s/iJiU=
+github.com/aws-controllers-k8s/runtime v0.36.0/go.mod h1:gI2pWb20UGLP2SnHf1a1VzTd7iVVy+/I9VAzT0Y+Dew=
 github.com/aws/aws-sdk-go v1.49.6 h1:yNldzF5kzLBRvKlKz1S0bkvc2+04R1kt13KfBWQBfFA=
 github.com/aws/aws-sdk-go v1.49.6/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
diff --git a/helm/Chart.yaml b/helm/Chart.yaml
index 1e8b4cc..764a996 100644
--- a/helm/Chart.yaml
+++ b/helm/Chart.yaml
@@ -1,8 +1,8 @@
 apiVersion: v1
 name: acmpca-chart
 description: A Helm chart for the ACK service controller for AWS Private Certificate Authority (PCA)
-version: 0.0.16
-appVersion: 0.0.16
+version: 0.0.17
+appVersion: 0.0.17
 home: https://github.com/aws-controllers-k8s/acmpca-controller
 icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png
 sources:
diff --git a/helm/crds/acmpca.services.k8s.aws_certificateauthorityactivations.yaml b/helm/crds/acmpca.services.k8s.aws_certificateauthorityactivations.yaml
index 1efc003..2f9c805 100644
--- a/helm/crds/acmpca.services.k8s.aws_certificateauthorityactivations.yaml
+++ b/helm/crds/acmpca.services.k8s.aws_certificateauthorityactivations.yaml
@@ -83,6 +83,8 @@ spec:
                     properties:
                       name:
                         type: string
+                      namespace:
+                        type: string
                     type: object
                 type: object
               certificateChain:
diff --git a/helm/crds/acmpca.services.k8s.aws_certificates.yaml b/helm/crds/acmpca.services.k8s.aws_certificates.yaml
index 61df283..28b7215 100644
--- a/helm/crds/acmpca.services.k8s.aws_certificates.yaml
+++ b/helm/crds/acmpca.services.k8s.aws_certificates.yaml
@@ -299,6 +299,8 @@ spec:
                     properties:
                       name:
                         type: string
+                      namespace:
+                        type: string
                     type: object
                 type: object
               certificateSigningRequest:
@@ -316,6 +318,8 @@ spec:
                     properties:
                       name:
                         type: string
+                      namespace:
+                        type: string
                     type: object
                 type: object
               signingAlgorithm:
diff --git a/helm/templates/NOTES.txt b/helm/templates/NOTES.txt
index 1476fce..13ccd49 100644
--- a/helm/templates/NOTES.txt
+++ b/helm/templates/NOTES.txt
@@ -1,5 +1,5 @@
 {{ .Chart.Name }} has been installed.
-This chart deploys "public.ecr.aws/aws-controllers-k8s/acmpca-controller:0.0.16".
+This chart deploys "public.ecr.aws/aws-controllers-k8s/acmpca-controller:0.0.17".
 
 Check its status by running:
   kubectl --namespace {{ .Release.Namespace }} get pods -l "app.kubernetes.io/instance={{ .Release.Name }}"
diff --git a/helm/values.yaml b/helm/values.yaml
index 7f2fe4a..4b46840 100644
--- a/helm/values.yaml
+++ b/helm/values.yaml
@@ -4,7 +4,7 @@
 
 image:
   repository: public.ecr.aws/aws-controllers-k8s/acmpca-controller
-  tag: 0.0.16
+  tag: 0.0.17
   pullPolicy: IfNotPresent
   pullSecrets: []
 
diff --git a/pkg/resource/certificate/references.go b/pkg/resource/certificate/references.go
index 0d1c2e2..0321bd7 100644
--- a/pkg/resource/certificate/references.go
+++ b/pkg/resource/certificate/references.go
@@ -60,18 +60,17 @@ func (rm *resourceManager) ResolveReferences(
 	apiReader client.Reader,
 	res acktypes.AWSResource,
 ) (acktypes.AWSResource, bool, error) {
-	namespace := res.MetaObject().GetNamespace()
 	ko := rm.concreteResource(res).ko
 
 	resourceHasReferences := false
 	err := validateReferenceFields(ko)
-	if fieldHasReferences, err := rm.resolveReferenceForCertificateAuthorityARN(ctx, apiReader, namespace, ko); err != nil {
+	if fieldHasReferences, err := rm.resolveReferenceForCertificateAuthorityARN(ctx, apiReader, ko); err != nil {
 		return &resource{ko}, (resourceHasReferences || fieldHasReferences), err
 	} else {
 		resourceHasReferences = resourceHasReferences || fieldHasReferences
 	}
 
-	if fieldHasReferences, err := rm.resolveReferenceForCertificateSigningRequest(ctx, apiReader, namespace, ko); err != nil {
+	if fieldHasReferences, err := rm.resolveReferenceForCertificateSigningRequest(ctx, apiReader, ko); err != nil {
 		return &resource{ko}, (resourceHasReferences || fieldHasReferences), err
 	} else {
 		resourceHasReferences = resourceHasReferences || fieldHasReferences
@@ -104,7 +103,6 @@ func validateReferenceFields(ko *svcapitypes.Certificate) error {
 func (rm *resourceManager) resolveReferenceForCertificateAuthorityARN(
 	ctx context.Context,
 	apiReader client.Reader,
-	namespace string,
 	ko *svcapitypes.Certificate,
 ) (hasReferences bool, err error) {
 	if ko.Spec.CertificateAuthorityRef != nil && ko.Spec.CertificateAuthorityRef.From != nil {
@@ -113,6 +111,10 @@ func (rm *resourceManager) resolveReferenceForCertificateAuthorityARN(
 		if arr.Name == nil || *arr.Name == "" {
 			return hasReferences, fmt.Errorf("provided resource reference is nil or empty: CertificateAuthorityRef")
 		}
+		namespace := ko.ObjectMeta.GetNamespace()
+		if arr.Namespace != nil && *arr.Namespace != "" {
+			namespace = *arr.Namespace
+		}
 		obj := &svcapitypes.CertificateAuthority{}
 		if err := getReferencedResourceState_CertificateAuthority(ctx, apiReader, obj, *arr.Name, namespace); err != nil {
 			return hasReferences, err
@@ -181,7 +183,6 @@ func getReferencedResourceState_CertificateAuthority(
 func (rm *resourceManager) resolveReferenceForCertificateSigningRequest(
 	ctx context.Context,
 	apiReader client.Reader,
-	namespace string,
 	ko *svcapitypes.Certificate,
 ) (hasReferences bool, err error) {
 	if ko.Spec.CertificateSigningRequestRef != nil && ko.Spec.CertificateSigningRequestRef.From != nil {
@@ -190,6 +191,10 @@ func (rm *resourceManager) resolveReferenceForCertificateSigningRequest(
 		if arr.Name == nil || *arr.Name == "" {
 			return hasReferences, fmt.Errorf("provided resource reference is nil or empty: CertificateSigningRequestRef")
 		}
+		namespace := ko.ObjectMeta.GetNamespace()
+		if arr.Namespace != nil && *arr.Namespace != "" {
+			namespace = *arr.Namespace
+		}
 		obj := &svcapitypes.CertificateAuthority{}
 		if err := getReferencedResourceState_CertificateAuthority(ctx, apiReader, obj, *arr.Name, namespace); err != nil {
 			return hasReferences, err
diff --git a/pkg/resource/certificate_authority_activation/references.go b/pkg/resource/certificate_authority_activation/references.go
index 61edee5..8bae325 100644
--- a/pkg/resource/certificate_authority_activation/references.go
+++ b/pkg/resource/certificate_authority_activation/references.go
@@ -56,12 +56,11 @@ func (rm *resourceManager) ResolveReferences(
 	apiReader client.Reader,
 	res acktypes.AWSResource,
 ) (acktypes.AWSResource, bool, error) {
-	namespace := res.MetaObject().GetNamespace()
 	ko := rm.concreteResource(res).ko
 
 	resourceHasReferences := false
 	err := validateReferenceFields(ko)
-	if fieldHasReferences, err := rm.resolveReferenceForCertificateAuthorityARN(ctx, apiReader, namespace, ko); err != nil {
+	if fieldHasReferences, err := rm.resolveReferenceForCertificateAuthorityARN(ctx, apiReader, ko); err != nil {
 		return &resource{ko}, (resourceHasReferences || fieldHasReferences), err
 	} else {
 		resourceHasReferences = resourceHasReferences || fieldHasReferences
@@ -90,7 +89,6 @@ func validateReferenceFields(ko *svcapitypes.CertificateAuthorityActivation) err
 func (rm *resourceManager) resolveReferenceForCertificateAuthorityARN(
 	ctx context.Context,
 	apiReader client.Reader,
-	namespace string,
 	ko *svcapitypes.CertificateAuthorityActivation,
 ) (hasReferences bool, err error) {
 	if ko.Spec.CertificateAuthorityRef != nil && ko.Spec.CertificateAuthorityRef.From != nil {
@@ -99,6 +97,10 @@ func (rm *resourceManager) resolveReferenceForCertificateAuthorityARN(
 		if arr.Name == nil || *arr.Name == "" {
 			return hasReferences, fmt.Errorf("provided resource reference is nil or empty: CertificateAuthorityRef")
 		}
+		namespace := ko.ObjectMeta.GetNamespace()
+		if arr.Namespace != nil && *arr.Namespace != "" {
+			namespace = *arr.Namespace
+		}
 		obj := &svcapitypes.CertificateAuthority{}
 		if err := getReferencedResourceState_CertificateAuthority(ctx, apiReader, obj, *arr.Name, namespace); err != nil {
 			return hasReferences, err