diff --git a/charts/aws-pca-issuer/README.md b/charts/aws-pca-issuer/README.md
index 4d50ac28..a9d9ae24 100644
--- a/charts/aws-pca-issuer/README.md
+++ b/charts/aws-pca-issuer/README.md
@@ -77,7 +77,24 @@ IfNotPresent
 <td>image.tag</td>
 <td>
 
-Image tag
+Image tag (used only when digest is empty)
+
+</td>
+<td>string</td>
+<td>
+
+```yaml
+""
+```
+
+</td>
+</tr>
+<tr>
+
+<td>image.digest</td>
+<td>
+
+Image digest (overrides tag when set). Example: sha256:aaaaaa...
 
 </td>
 <td>string</td>
diff --git a/charts/aws-pca-issuer/templates/deployment.yaml b/charts/aws-pca-issuer/templates/deployment.yaml
index fbb2de19..634c92e9 100644
--- a/charts/aws-pca-issuer/templates/deployment.yaml
+++ b/charts/aws-pca-issuer/templates/deployment.yaml
@@ -43,7 +43,7 @@ spec:
         - name: {{ .Chart.Name }}
           securityContext:
             {{- toYaml .Values.securityContext | nindent 12 }}
-          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          image: "{{ .Values.image.repository }}{{- if .Values.image.digest }}@{{ .Values.image.digest }}{{- else }}:{{ .Values.image.tag | default .Chart.AppVersion }}{{- end }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           command:
             - /manager
diff --git a/charts/aws-pca-issuer/values.yaml b/charts/aws-pca-issuer/values.yaml
index 448d594b..ccbf2e0f 100644
--- a/charts/aws-pca-issuer/values.yaml
+++ b/charts/aws-pca-issuer/values.yaml
@@ -8,9 +8,10 @@ image:
   repository: public.ecr.aws/k1n1h4h4/cert-manager-aws-privateca-issuer
   # Image pull policy
   pullPolicy: IfNotPresent
-  # Image tag
+  # Image tag (used only when digest is empty)
   tag: ""
-
+  # Image digest (overrides tag when set). Example: sha256:aaaaaa...
+  digest: ""
 # Disable waiting for CertificateRequests to be Approved before signing
 disableApprovedCheck: false