diff --git a/config/rbac/byoh_csr_creator_clusterrole.yaml b/config/rbac/byoh_csr_creator_clusterrole.yaml
new file mode 100644
index 000000000..ebde460ca
--- /dev/null
+++ b/config/rbac/byoh_csr_creator_clusterrole.yaml
@@ -0,0 +1,14 @@
+# ClusterRole 
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: byoh-csr-creator-clusterrole
+rules:
+- apiGroups:
+  - certificates.k8s.io
+  resources:
+  - certificatesigningrequests
+  verbs:
+  - create
+  - get
+  - watch
diff --git a/config/rbac/byoh_csr_creator_clusterrolebinding.yaml b/config/rbac/byoh_csr_creator_clusterrolebinding.yaml
new file mode 100644
index 000000000..c1055691f
--- /dev/null
+++ b/config/rbac/byoh_csr_creator_clusterrolebinding.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: byoh-csr-creator-clusterrole-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: byoh-csr-creator-clusterrole
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: Group
+  name: system:bootstrappers:byoh
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
index fccfca3f2..acf394ddc 100644
--- a/config/rbac/role.yaml
+++ b/config/rbac/role.yaml
@@ -25,6 +25,14 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - certificates.k8s.io
+  resources:
+  - certificatesigningrequests
+  verbs:
+  - create
+  - get
+  - watch
 - apiGroups:
   - cluster.x-k8s.io
   resources:
diff --git a/controllers/infrastructure/byohost_controller.go b/controllers/infrastructure/byohost_controller.go
index 63dda70b6..e8ec45fff 100644
--- a/controllers/infrastructure/byohost_controller.go
+++ b/controllers/infrastructure/byohost_controller.go
@@ -23,6 +23,7 @@ type ByoHostReconciler struct {
 //+kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io,resources=byohosts,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io,resources=byohosts/status,verbs=get;update;patch
 //+kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io,resources=byohosts/finalizers,verbs=update
+//+kubebuilder:rbac:groups=certificates.k8s.io,resources=certificatesigningrequests,verbs=create;get;watch
 
 // Reconcile is part of the main kubernetes reconciliation loop which aims to
 // move the current state of the cluster closer to the desired state.