diff --git a/helm/aws-load-balancer-controller/templates/webhook.yaml b/helm/aws-load-balancer-controller/templates/webhook.yaml
index 009fa30d9a..19bfa1e3d6 100644
--- a/helm/aws-load-balancer-controller/templates/webhook.yaml
+++ b/helm/aws-load-balancer-controller/templates/webhook.yaml
@@ -235,7 +235,7 @@ spec:
   - {{ template "aws-load-balancer-controller.webhookService" . }}.{{ .Release.Namespace }}.svc.{{ .Values.cluster.dnsDomain }}
   issuerRef:
     kind: Issuer
-    name: {{ template "aws-load-balancer-controller.namePrefix" . }}-selfsigned-issuer
+    name: {{ default (printf "%s-selfsigned-issuer" (include "aws-load-balancer-controller.namePrefix" .)) .Values.certManager.existingIssuerName }}
   secretName: {{ template "aws-load-balancer-controller.webhookCertSecret" . }}
   {{- with .Values.certManager -}}
   {{ if .duration }}
@@ -249,6 +249,7 @@ spec:
   {{- end }}
   {{- end }}
 ---
+{{- if not $.Values.certManager.existingIssuerName }}
 apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
@@ -259,3 +260,4 @@ metadata:
 spec:
   selfSigned: {}
 {{- end }}
+{{- end }}
diff --git a/helm/aws-load-balancer-controller/values.yaml b/helm/aws-load-balancer-controller/values.yaml
index 24786605df..83f3e3725a 100644
--- a/helm/aws-load-balancer-controller/values.yaml
+++ b/helm/aws-load-balancer-controller/values.yaml
@@ -120,6 +120,9 @@ certManager:
   duration:
   renewBefore:
   revisionHistoryLimit:
+  # name of the existing issuer to use for certificate requests
+  # when set, the controller will not create a self-signed issuer
+  existingIssuerName:
 
 # The name of the Kubernetes cluster. A non-empty value is required
 clusterName: