diff --git a/modules/certmanager/issuer.go b/modules/certmanager/issuer.go
index b42eea07..460c0bf2 100644
--- a/modules/certmanager/issuer.go
+++ b/modules/certmanager/issuer.go
@@ -34,6 +34,8 @@ import (
 const (
 	// RootCAIssuerInternalLabel for internal RootCA to issue internal TLS Certs
 	RootCAIssuerInternalLabel = "osp-rootca-issuer-internal"
+	// RootCAIssuerOvnDBLabel for internal RootCA to issue OVN DB TLS Certs
+	RootCAIssuerOvnDBLabel = "osp-rootca-issuer-ovndb"
 )
 
 // Issuer -
diff --git a/modules/common/service/types.go b/modules/common/service/types.go
index d2090ba7..95a1d68b 100644
--- a/modules/common/service/types.go
+++ b/modules/common/service/types.go
@@ -52,6 +52,8 @@ const (
 	ProtocolHTTPS Protocol = "https"
 	// ProtocolNone -
 	ProtocolNone Protocol = ""
+	// OvnDbCA - fake endpoint for OVN DB internal CA
+	OvnDbCA Endpoint = "ovndb"
 )
 
 func (e *Endpoint) String() string {
diff --git a/modules/common/tls/tls.go b/modules/common/tls/tls.go
index 9e5d9e9f..5e9084ec 100644
--- a/modules/common/tls/tls.go
+++ b/modules/common/tls/tls.go
@@ -106,6 +106,11 @@ type APIService struct {
 	// +operator-sdk:csv:customresourcedefinitions:type=spec
 	// Internal GenericService - holds the secret for the internal endpoint
 	Internal GenericService `json:"internal,omitempty"`
+
+	// +kubebuilder:validation:optional
+	// +operator-sdk:csv:customresourcedefinitions:type=spec
+	// OVNDb GenericService - holds the secret for the OVNDb client cert
+	OvnDb GenericService `json:"ovndb,omitempty"`
 }
 
 // GenericService contains server-specific TLS secret or issuer
@@ -163,7 +168,7 @@ func (a *APIService) ValidateCertSecrets(
 ) (string, ctrl.Result, error) {
 	var svc GenericService
 	certHashes := map[string]env.Setter{}
-	for _, endpt := range []service.Endpoint{service.EndpointInternal, service.EndpointPublic} {
+	for _, endpt := range []service.Endpoint{service.EndpointInternal, service.EndpointPublic, service.OvnDbCA} {
 		switch endpt {
 		case service.EndpointPublic:
 			if !a.Enabled(service.EndpointPublic) {
@@ -178,6 +183,13 @@ func (a *APIService) ValidateCertSecrets(
 			}
 
 			svc = a.Internal
+
+		case service.OvnDbCA:
+			if !a.Enabled(service.EndpointInternal) {
+				continue
+			}
+
+			svc = a.OvnDb
 		}
 
 		hash, ctrlResult, err := svc.ValidateCertSecret(ctx, h, namespace)