diff --git a/component/olm.jsonnet b/component/olm.jsonnet
index a0b80603..22b707b8 100644
--- a/component/olm.jsonnet
+++ b/component/olm.jsonnet
@@ -213,6 +213,24 @@ local patchManifests = function(file, has_csv)
           else
             r
           for r in super.rules
+        ] + [
+          // Grant OLM operator permission to manage cert-manager certificate
+          // resources. This is required when setting `method: certmanager`
+          // for some Cilium TLS configuration (e.g. Hubble TLS).
+          {
+            apiGroups: [ 'cert-manager.io' ],
+            resources: [ 'certificates' ],
+            verbs: [
+              'create',
+              'delete',
+              'deletecollection',
+              'get',
+              'list',
+              'patch',
+              'update',
+              'watch',
+            ],
+          },
         ],
       },
     }
diff --git a/tests/golden/olm-opensource/cilium/cilium/olm/cluster-network-06-cilium-00005-cilium-olm-role.yaml b/tests/golden/olm-opensource/cilium/cilium/olm/cluster-network-06-cilium-00005-cilium-olm-role.yaml
index 4127fc64..79694020 100644
--- a/tests/golden/olm-opensource/cilium/cilium/olm/cluster-network-06-cilium-00005-cilium-olm-role.yaml
+++ b/tests/golden/olm-opensource/cilium/cilium/olm/cluster-network-06-cilium-00005-cilium-olm-role.yaml
@@ -65,3 +65,16 @@ rules:
       - servicemonitors
     verbs:
       - '*'
+  - apiGroups:
+      - cert-manager.io
+    resources:
+      - certificates
+    verbs:
+      - create
+      - delete
+      - deletecollection
+      - get
+      - list
+      - patch
+      - update
+      - watch