diff --git a/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params-master.sh b/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params-master.sh
index 4f6e5ae071384945b2d185cff22556b5da6c651e..1cf2a9ba68be9df3c008b661bc3c94612b3050d5 100644
--- a/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params-master.sh
+++ b/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params-master.sh
@@ -77,6 +77,7 @@ DNS_SERVICE_IP="$DNS_SERVICE_IP"
 DNS_CLUSTER_DOMAIN="$DNS_CLUSTER_DOMAIN"
 CERT_MANAGER_API="$CERT_MANAGER_API"
 CA_KEY="$CA_KEY"
+CERT_MANAGER_IO_ENABLED="$CERT_MANAGER_IO_ENABLED"
 CALICO_TAG="$CALICO_TAG"
 CALICO_KUBE_CONTROLLERS_TAG="$CALICO_KUBE_CONTROLLERS_TAG"
 CALICO_IPV4POOL="$CALICO_IPV4POOL"
diff --git a/magnum/drivers/common/templates/kubernetes/helm/cern-chart.sh b/magnum/drivers/common/templates/kubernetes/helm/cern-chart.sh
index 0f958aca37ff84b6382fb50e4bfdf0557f3a7879..478f3a438137f72abe909f751f57d9e84f28765a 100644
--- a/magnum/drivers/common/templates/kubernetes/helm/cern-chart.sh
+++ b/magnum/drivers/common/templates/kubernetes/helm/cern-chart.sh
@@ -78,6 +78,8 @@ ${NVIDIA_GPU_VALUES}
       enabled: ${CINDER_CSI_ENABLED}
     openstack-manila-csi:
       enabled: ${MANILA_CSI_ENABLED}
+    cert-manager:
+      enabled: ${CERT_MANAGER_IO_ENABLED}
     base:
       enabled: ${CERN_ENABLED}
 EOF
diff --git a/magnum/drivers/heat/k8s_fedora_template_def.py b/magnum/drivers/heat/k8s_fedora_template_def.py
index bd88b78da07bfab89ae057ee3a1ec7c952e275ca..7afafec83dde879768eeb67188df7983e3a10197 100644
--- a/magnum/drivers/heat/k8s_fedora_template_def.py
+++ b/magnum/drivers/heat/k8s_fedora_template_def.py
@@ -131,7 +131,8 @@ class K8sFedoraTemplateDefinition(k8s_template_def.K8sTemplateDefinition):
                       'nvidia_gpu_tag', 'cern_chart_enabled', 'cern_chart_version',
                       'oidc_issuer_url', 'oidc_username_claim', 'oidc_groups_claim',
                       'oidc_username_prefix', 'oidc_groups_prefix', 'oidc_client_id',
-                      'oidc_enabled', 'ignition_version', 'cern_chart_values']
+                      'oidc_enabled', 'ignition_version', 'cern_chart_values',
+                      'cert_manager_io_enabled']
 
         labels = self._get_relevant_labels(cluster, kwargs)
 
diff --git a/magnum/drivers/k8s_fedora_coreos_v1/templates/kubecluster.yaml b/magnum/drivers/k8s_fedora_coreos_v1/templates/kubecluster.yaml
index 80d9d9b142e17550f4673e5e9e4e8757ef440622..df1149c21b8747e74fbc82ba64aee6976acf4a1c 100644
--- a/magnum/drivers/k8s_fedora_coreos_v1/templates/kubecluster.yaml
+++ b/magnum/drivers/k8s_fedora_coreos_v1/templates/kubecluster.yaml
@@ -561,6 +561,12 @@ parameters:
     default: ""
     hidden: true
 
+  cert_manager_io_enabled:
+    type: boolean
+    description: >
+      Indicates whether cert-manager.io plugin should be started.
+    default: false
+
   calico_tag:
     type: string
     description: tag of the calico containers used to provision the calico node
@@ -1287,6 +1293,7 @@ resources:
           availability_zone: {get_param: availability_zone}
           ca_key: {get_param: ca_key}
           cert_manager_api: {get_param: cert_manager_api}
+          cert_manager_io_enabled: {get_param: cert_manager_io_enabled}
           calico_tag: {get_param: calico_tag}
           calico_kube_controllers_tag: {get_param: calico_kube_controllers_tag}
           calico_ipv4pool: {get_param: calico_ipv4pool}
diff --git a/magnum/drivers/k8s_fedora_coreos_v1/templates/kubemaster.yaml b/magnum/drivers/k8s_fedora_coreos_v1/templates/kubemaster.yaml
index 587678ec1f9b9e2c3d23c782fe77d851e0b5625e..a993eb8ba87d6bf48709623f52adc033460f1004 100644
--- a/magnum/drivers/k8s_fedora_coreos_v1/templates/kubemaster.yaml
+++ b/magnum/drivers/k8s_fedora_coreos_v1/templates/kubemaster.yaml
@@ -371,6 +371,12 @@ parameters:
     type: string
     description: tag of the calico containers used to provision the calico node
 
+  cert_manager_io_enabled:
+    type: boolean
+    description: >
+      Indicates whether cert-manager.io plugin should be started.
+    default: false
+
   calico_kube_controllers_tag:
     type: string
     description: tag of the kube_controllers used to provision the calico node
@@ -946,6 +952,7 @@ resources:
                   "$DNS_CLUSTER_DOMAIN": {get_param: dns_cluster_domain}
                   "$CERT_MANAGER_API": {get_param: cert_manager_api}
                   "$CA_KEY": {get_param: ca_key}
+                  "$CERT_MANAGER_IO_ENABLED": {get_param: cert_manager_io_enabled}
                   "$CALICO_TAG": {get_param: calico_tag}
                   "$CALICO_KUBE_CONTROLLERS_TAG": {get_param: calico_kube_controllers_tag}
                   "$CALICO_IPV4POOL": {get_param: calico_ipv4pool}