diff --git a/hack/patches/008-certificates-reconciler.patch b/hack/patches/008-certificates-reconciler.patch
new file mode 100644
index 0000000000..b9857da108
--- /dev/null
+++ b/hack/patches/008-certificates-reconciler.patch
@@ -0,0 +1,23 @@
+diff --git a/vendor/knative.dev/pkg/webhook/certificates/certificates.go b/vendor/knative.dev/pkg/webhook/certificates/certificates.go
+index 5239279..d5981e7 100644
+--- a/vendor/knative.dev/pkg/webhook/certificates/certificates.go
++++ b/vendor/knative.dev/pkg/webhook/certificates/certificates.go
+@@ -20,6 +20,7 @@ import (
+ 	"context"
+ 	"crypto/tls"
+ 	"crypto/x509"
++	"os"
+ 	"time"
+ 
+ 	"go.uber.org/zap"
+@@ -63,6 +64,10 @@ func (r *reconciler) Reconcile(ctx context.Context, key string) error {
+ func (r *reconciler) reconcileCertificate(ctx context.Context) error {
+ 	logger := logging.FromContext(ctx)
+ 
++	if os.Getenv("USE_OLM_TLS") != "" { // olm manages cert rotation
++		return nil
++	}
++
+ 	secret, err := r.secretlister.Secrets(r.key.Namespace).Get(r.key.Name)
+ 	if apierrors.IsNotFound(err) {
+ 		// The secret should be created explicitly by a higher-level system
diff --git a/vendor/knative.dev/pkg/webhook/certificates/certificates.go b/vendor/knative.dev/pkg/webhook/certificates/certificates.go
index 5239279e52..d5981e7517 100644
--- a/vendor/knative.dev/pkg/webhook/certificates/certificates.go
+++ b/vendor/knative.dev/pkg/webhook/certificates/certificates.go
@@ -20,6 +20,7 @@ import (
 	"context"
 	"crypto/tls"
 	"crypto/x509"
+	"os"
 	"time"
 
 	"go.uber.org/zap"
@@ -63,6 +64,10 @@ func (r *reconciler) Reconcile(ctx context.Context, key string) error {
 func (r *reconciler) reconcileCertificate(ctx context.Context) error {
 	logger := logging.FromContext(ctx)
 
+	if os.Getenv("USE_OLM_TLS") != "" { // olm manages cert rotation
+		return nil
+	}
+
 	secret, err := r.secretlister.Secrets(r.key.Namespace).Get(r.key.Name)
 	if apierrors.IsNotFound(err) {
 		// The secret should be created explicitly by a higher-level system