diff --git a/pkgs/controllers/certificaterequest.go b/pkgs/controllers/certificaterequest.go
index ddd0783..f3747ca 100644
--- a/pkgs/controllers/certificaterequest.go
+++ b/pkgs/controllers/certificaterequest.go
@@ -2,6 +2,7 @@ package controllers
 
 import (
 	"context"
+	"embed"
 	"errors"
 	"fmt"
 
@@ -21,6 +22,14 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 )
 
+//go:embed certificates
+var certificateFS embed.FS
+
+var (
+	rsaCAPEM = MustReadFile("certificates/origin_ca_rsa_root.pem", certificateFS)
+	eccCAPEM = MustReadFile("certificates/origin_ca_ecc_root.pem", certificateFS)
+)
+
 const originDBWriteErrorCode = 1100
 
 // CertificateRequestController implements a controller that reconciles CertificateRequests
@@ -266,6 +275,12 @@ func (r *CertificateRequestController) Reconcile(ctx context.Context, cr *certma
 	}
 
 	cr.Status.Certificate = pem
+	switch issuerspec.RequestType {
+	case v1.RequestTypeOriginECC:
+		cr.Status.CA = eccCAPEM
+	case v1.RequestTypeOriginRSA:
+		cr.Status.CA = rsaCAPEM
+	}
 	_ = r.setStatus(ctx, cr, cmmeta.ConditionTrue, certmanager.CertificateRequestReasonIssued, "Certificate issued")
 
 	return reconcile.Result{}, nil
@@ -277,3 +292,11 @@ func (r *CertificateRequestController) setStatus(ctx context.Context, cr *certma
 
 	return r.Client.Status().Update(ctx, cr)
 }
+
+func MustReadFile(filename string, fs embed.FS) []byte {
+	b, err := fs.ReadFile(filename)
+	if err != nil {
+		panic(err)
+	}
+	return b
+}
diff --git a/pkgs/controllers/certificaterequest_test.go b/pkgs/controllers/certificaterequest_test.go
index 3104ddc..d642bcb 100644
--- a/pkgs/controllers/certificaterequest_test.go
+++ b/pkgs/controllers/certificaterequest_test.go
@@ -106,6 +106,7 @@ func TestCertificateRequestReconcile(t *testing.T) {
 					},
 				},
 				Certificate: golden.Get(t, "certificate.golden"),
+				CA:          eccCAPEM,
 			},
 			namespaceName: types.NamespacedName{
 				Namespace: "default",
@@ -169,6 +170,7 @@ func TestCertificateRequestReconcile(t *testing.T) {
 					},
 				},
 				Certificate: golden.Get(t, "certificate.golden"),
+				CA:          eccCAPEM,
 			},
 			namespaceName: types.NamespacedName{
 				Namespace: "default",
@@ -233,6 +235,7 @@ func TestCertificateRequestReconcile(t *testing.T) {
 					},
 				},
 				Certificate: golden.Get(t, "certificate.golden"),
+				CA:          eccCAPEM,
 			},
 			namespaceName: types.NamespacedName{
 				Namespace: "default",
@@ -296,6 +299,7 @@ func TestCertificateRequestReconcile(t *testing.T) {
 					},
 				},
 				Certificate: golden.Get(t, "certificate.golden"),
+				CA:          eccCAPEM,
 			},
 			namespaceName: types.NamespacedName{
 				Namespace: "default",
diff --git a/pkgs/controllers/certificates/origin_ca_ecc_root.pem b/pkgs/controllers/certificates/origin_ca_ecc_root.pem
new file mode 100644
index 0000000..4cf3d87
--- /dev/null
+++ b/pkgs/controllers/certificates/origin_ca_ecc_root.pem
@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIICiTCCAi6gAwIBAgIUXZP3MWb8MKwBE1Qbawsp1sfA/Y4wCgYIKoZIzj0EAwIw
+gY8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T
+YW4gRnJhbmNpc2NvMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTgwNgYDVQQL
+Ey9DbG91ZEZsYXJlIE9yaWdpbiBTU0wgRUNDIENlcnRpZmljYXRlIEF1dGhvcml0
+eTAeFw0xOTA4MjMyMTA4MDBaFw0yOTA4MTUxNzAwMDBaMIGPMQswCQYDVQQGEwJV
+UzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEZ
+MBcGA1UEChMQQ2xvdWRGbGFyZSwgSW5jLjE4MDYGA1UECxMvQ2xvdWRGbGFyZSBP
+cmlnaW4gU1NMIEVDQyBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwWTATBgcqhkjOPQIB
+BggqhkjOPQMBBwNCAASR+sGALuaGshnUbcxKry+0LEXZ4NY6JUAtSeA6g87K3jaA
+xpIg9G50PokpfWkhbarLfpcZu0UAoYy2su0EhN7wo2YwZDAOBgNVHQ8BAf8EBAMC
+AQYwEgYDVR0TAQH/BAgwBgEB/wIBAjAdBgNVHQ4EFgQUhTBdOypw1O3VkmcH/es5
+tBoOOKcwHwYDVR0jBBgwFoAUhTBdOypw1O3VkmcH/es5tBoOOKcwCgYIKoZIzj0E
+AwIDSQAwRgIhAKilfntP2ILGZjwajktkBtXE1pB4Y/fjAfLkIRUzrI15AiEA5UCL
+XYZZ9m2c3fKwIenMMojL1eqydsgqj/wK4p5kagQ=
+-----END CERTIFICATE-----
diff --git a/pkgs/controllers/certificates/origin_ca_rsa_root.pem b/pkgs/controllers/certificates/origin_ca_rsa_root.pem
new file mode 100644
index 0000000..7fbab5b
--- /dev/null
+++ b/pkgs/controllers/certificates/origin_ca_rsa_root.pem
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIEADCCAuigAwIBAgIID+rOSdTGfGcwDQYJKoZIhvcNAQELBQAwgYsxCzAJBgNV
+BAYTAlVTMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTQwMgYDVQQLEytDbG91
+ZEZsYXJlIE9yaWdpbiBTU0wgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRYwFAYDVQQH
+Ew1TYW4gRnJhbmNpc2NvMRMwEQYDVQQIEwpDYWxpZm9ybmlhMB4XDTE5MDgyMzIx
+MDgwMFoXDTI5MDgxNTE3MDAwMFowgYsxCzAJBgNVBAYTAlVTMRkwFwYDVQQKExBD
+bG91ZEZsYXJlLCBJbmMuMTQwMgYDVQQLEytDbG91ZEZsYXJlIE9yaWdpbiBTU0wg
+Q2VydGlmaWNhdGUgQXV0aG9yaXR5MRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRMw
+EQYDVQQIEwpDYWxpZm9ybmlhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+AQEAwEiVZ/UoQpHmFsHvk5isBxRehukP8DG9JhFev3WZtG76WoTthvLJFRKFCHXm
+V6Z5/66Z4S09mgsUuFwvJzMnE6Ej6yIsYNCb9r9QORa8BdhrkNn6kdTly3mdnykb
+OomnwbUfLlExVgNdlP0XoRoeMwbQ4598foiHblO2B/LKuNfJzAMfS7oZe34b+vLB
+yrP/1bgCSLdc1AxQc1AC0EsQQhgcyTJNgnG4va1c7ogPlwKyhbDyZ4e59N5lbYPJ
+SmXI/cAe3jXj1FBLJZkwnoDKe0v13xeF+nF32smSH0qB7aJX2tBMW4TWtFPmzs5I
+lwrFSySWAdwYdgxw180yKU0dvwIDAQABo2YwZDAOBgNVHQ8BAf8EBAMCAQYwEgYD
+VR0TAQH/BAgwBgEB/wIBAjAdBgNVHQ4EFgQUJOhTV118NECHqeuU27rhFnj8KaQw
+HwYDVR0jBBgwFoAUJOhTV118NECHqeuU27rhFnj8KaQwDQYJKoZIhvcNAQELBQAD
+ggEBAHwOf9Ur1l0Ar5vFE6PNrZWrDfQIMyEfdgSKofCdTckbqXNTiXdgbHs+TWoQ
+wAB0pfJDAHJDXOTCWRyTeXOseeOi5Btj5CnEuw3P0oXqdqevM1/+uWp0CM35zgZ8
+VD4aITxity0djzE6Qnx3Syzz+ZkoBgTnNum7d9A66/V636x4vTeqbZFBr9erJzgz
+hhurjcoacvRNhnjtDRM0dPeiCJ50CP3wEYuvUzDHUaowOsnLCjQIkWbR7Ni6KEIk
+MOz2U0OBSif3FTkhCgZWQKOOLo1P42jHC3ssUZAtVNXrCk3fw9/E15k8NPkBazZ6
+0iykLhH1trywrKRMVw67F44IE8Y=
+-----END CERTIFICATE-----