diff --git a/build/templates/README.md b/build/templates/README.md
index 575d3bb7..efec02e4 100644
--- a/build/templates/README.md
+++ b/build/templates/README.md
@@ -408,6 +408,8 @@ For details see the [`values.yaml`](values.yaml) file.
 | `tls.certs.certManagerIssuer.group`                       | IssuerRef group to use when generating certificates             | `cert-manager.io`                                     |
 | `tls.certs.certManagerIssuer.kind`                        | IssuerRef kind to use when generating certificates              | `Issuer`                                              |
 | `tls.certs.certManagerIssuer.name`                        | IssuerRef name to use when generating certificates              | `cockroachdb`                                         |
+| `tls.certs.certManagerIssuer.caCertDuration`              | Duration of CA cert in hour                                     | `43824h`                                         |
+| `tls.certs.certManagerIssuer.caCertExpiryWindow`          | Expiry window of CA cert means a window before actual expiry in which CA cert should be rotated                    | `648h`                                               |
 | `tls.certs.certManagerIssuer.clientCertDuration`          | Duration of client cert in hours                                | `672h`                                                |
 | `tls.certs.certManagerIssuer.clientCertExpiryWindow`      | Expiry window of client cert means a window before actual expiry in which client cert should be rotated                   | `48h`                                       |
 | `tls.certs.certManagerIssuer.nodeCertDuration`            | Duration of node cert in hours                                  | `8760h`                                               |
diff --git a/build/templates/values.yaml b/build/templates/values.yaml
index 46f3190c..4690e7f3 100644
--- a/build/templates/values.yaml
+++ b/build/templates/values.yaml
@@ -519,6 +519,10 @@ tls:
       name: cockroachdb
       # Make it false when you are providing your own CA issuer
       isSelfSignedIssuer: true
+      # Duration of CA certificates in hour
+      caCertDuration: 43800h
+      # Expiry window of CA certificates means a window before actual expiry in which CA certs should be rotated.
+      caCertExpiryWindow: 648h
       # Duration of Client certificates in hours
       clientCertDuration: 672h
       # Expiry window of client certificates means a window before actual expiry in which client certs should be rotated.
diff --git a/cockroachdb/README.md b/cockroachdb/README.md
index 70cb0ba4..7510cc86 100644
--- a/cockroachdb/README.md
+++ b/cockroachdb/README.md
@@ -409,6 +409,8 @@ For details see the [`values.yaml`](values.yaml) file.
 | `tls.certs.certManagerIssuer.group`                       | IssuerRef group to use when generating certificates             | `cert-manager.io`                                     |
 | `tls.certs.certManagerIssuer.kind`                        | IssuerRef kind to use when generating certificates              | `Issuer`                                              |
 | `tls.certs.certManagerIssuer.name`                        | IssuerRef name to use when generating certificates              | `cockroachdb`                                         |
+| `tls.certs.certManagerIssuer.caCertDuration`              | Duration of CA cert in hour                                     | `43824h`                                         |
+| `tls.certs.certManagerIssuer.caCertExpiryWindow`          | Expiry window of CA cert means a window before actual expiry in which CA cert should be rotated                    | `648h`                                               |
 | `tls.certs.certManagerIssuer.clientCertDuration`          | Duration of client cert in hours                                | `672h`                                                |
 | `tls.certs.certManagerIssuer.clientCertExpiryWindow`      | Expiry window of client cert means a window before actual expiry in which client cert should be rotated                   | `48h`                                       |
 | `tls.certs.certManagerIssuer.nodeCertDuration`            | Duration of node cert in hours                                  | `8760h`                                               |
diff --git a/cockroachdb/templates/certificate.ca.yaml b/cockroachdb/templates/certificate.ca.yaml
index 29794462..4043fafb 100644
--- a/cockroachdb/templates/certificate.ca.yaml
+++ b/cockroachdb/templates/certificate.ca.yaml
@@ -14,6 +14,8 @@ metadata:
       {{- toYaml . | nindent 4 }}
     {{- end }}
 spec:
+  duration: {{ .Values.tls.certs.certManagerIssuer.caCertDuration }}
+  renewBefore: {{ .Values.tls.certs.certManagerIssuer.caCertExpiryWindow  }}
   isCA: true
   secretName: {{ .Values.tls.certs.caSecret }}
   privateKey:
diff --git a/cockroachdb/values.yaml b/cockroachdb/values.yaml
index 5456b698..e0a63d6c 100644
--- a/cockroachdb/values.yaml
+++ b/cockroachdb/values.yaml
@@ -520,6 +520,10 @@ tls:
       name: cockroachdb
       # Make it false when you are providing your own CA issuer
       isSelfSignedIssuer: true
+      # Duration of CA certificates in hour
+      caCertDuration: 43800h
+      # Expiry window of CA certificates means a window before actual expiry in which CA certs should be rotated.
+      caCertExpiryWindow: 648h
       # Duration of Client certificates in hours
       clientCertDuration: 672h
       # Expiry window of client certificates means a window before actual expiry in which client certs should be rotated.