diff --git a/control-plane/roles/gardener/README.md b/control-plane/roles/gardener/README.md
index 8001f378..37cc7abc 100644
--- a/control-plane/roles/gardener/README.md
+++ b/control-plane/roles/gardener/README.md
@@ -117,6 +117,7 @@ This includes the metal-stack extension provider called [gardener-extension-prov
 | gardener_cert_management_issuer_email                        |           | The issuer email used by the cert-management extension                                                                                      |
 | gardener_cert_management_issuer_server                       |           | The issuer server used by the cert-management extension                                                                                     |
 | gardener_cert_management_precheck_nameservers                |           | To provide special set of nameservers to be used for prechecking DNSChallenges for an issuer                                                |
+| gardener_cert_management_shoot_issuers_enabled               |           | If enabled, allows to specify issuers in the shoot clusters                                                                                 |
 
 ### Certificates
 
diff --git a/control-plane/roles/gardener/defaults/main/extensions.yaml b/control-plane/roles/gardener/defaults/main/extensions.yaml
index f8378430..02a5cf2f 100644
--- a/control-plane/roles/gardener/defaults/main/extensions.yaml
+++ b/control-plane/roles/gardener/defaults/main/extensions.yaml
@@ -69,6 +69,7 @@ gardener_cert_management_issuer_private_key: ""
 gardener_cert_management_issuer_server: https://acme-v02.api.letsencrypt.org/directory
 gardener_cert_management_issuer_email:
 gardener_cert_management_precheck_nameservers: []
+gardener_cert_management_shoot_issuers_enabled: false
 
 gardener_extension_dns_external_controller_registration_url:
 
diff --git a/control-plane/roles/gardener/templates/shoot-cert-service/controller-deployment.yaml b/control-plane/roles/gardener/templates/shoot-cert-service/controller-deployment.yaml
index 202bf9e2..a3b28bcf 100644
--- a/control-plane/roles/gardener/templates/shoot-cert-service/controller-deployment.yaml
+++ b/control-plane/roles/gardener/templates/shoot-cert-service/controller-deployment.yaml
@@ -22,3 +22,5 @@ providerConfig:
 {% if gardener_cert_management_precheck_nameservers %}
       precheckNameservers: "{{ gardener_cert_management_precheck_nameservers | join(',') }}"
 {% endif %}
+      shootIssuers:
+        enabled: {{ gardener_cert_management_shoot_issuers_enabled | bool }} # if true, allows to specify issuers in the shoot clusters