diff --git a/e2e-tests/tests/gr-tls-cert-manager/04-assert.yaml b/e2e-tests/tests/gr-tls-cert-manager/04-assert.yaml
index 18cf44438..07de41d71 100644
--- a/e2e-tests/tests/gr-tls-cert-manager/04-assert.yaml
+++ b/e2e-tests/tests/gr-tls-cert-manager/04-assert.yaml
@@ -36,11 +36,11 @@ spec:
 status:
   conditions:
     - message: Certificate is up to date and has not expired
-      observedGeneration: 2
+      observedGeneration: 1
       reason: Ready
       status: 'True'
       type: Ready
-  revision: 2
+  revision: 1
 ---
 apiVersion: apps/v1
 kind: StatefulSet
diff --git a/e2e-tests/tests/gr-tls-cert-manager/05-check-cert.yaml b/e2e-tests/tests/gr-tls-cert-manager/05-check-cert.yaml
index 35ca29679..7a44e42ab 100644
--- a/e2e-tests/tests/gr-tls-cert-manager/05-check-cert.yaml
+++ b/e2e-tests/tests/gr-tls-cert-manager/05-check-cert.yaml
@@ -17,6 +17,5 @@ commands:
         "*.gr-tls-cert-manager-orchestrator.'"${NAMESPACE}"'.svc",
         "*.gr-tls-cert-manager-router",
         "*.gr-tls-cert-manager-router.'"${NAMESPACE}"'",
-        "*.gr-tls-cert-manager-router.'"${NAMESPACE}"'.svc",
-        "mysql-1.example.com"
+        "*.gr-tls-cert-manager-router.'"${NAMESPACE}"'.svc"
       ]'
diff --git a/e2e-tests/tests/gr-tls-cert-manager/06-assert.yaml b/e2e-tests/tests/gr-tls-cert-manager/06-assert.yaml
index c95a2db66..4ece0f4a0 100644
--- a/e2e-tests/tests/gr-tls-cert-manager/06-assert.yaml
+++ b/e2e-tests/tests/gr-tls-cert-manager/06-assert.yaml
@@ -36,19 +36,19 @@ spec:
 status:
   conditions:
     - message: Certificate is up to date and has not expired
-      observedGeneration: 2
+      observedGeneration: 1
       reason: Ready
       status: 'True'
       type: Ready
-  revision: 3
+  revision: 2
 ---
 apiVersion: apps/v1
 kind: StatefulSet
 metadata:
-  generation: 3
+  generation: 2
   name: gr-tls-cert-manager-mysql
 status:
-  observedGeneration: 3
+  observedGeneration: 2
   replicas: 3
   readyReplicas: 3
 ---
@@ -63,7 +63,7 @@ metadata:
     app.kubernetes.io/name: percona-server
     app.kubernetes.io/part-of: percona-server
 status:
-  observedGeneration: 3
+  observedGeneration: 2
   replicas: 3
   updatedReplicas: 3
   readyReplicas: 3
diff --git a/e2e-tests/tests/tls-cert-manager/04-assert.yaml b/e2e-tests/tests/tls-cert-manager/04-assert.yaml
index 563c754d0..018e9cb3f 100644
--- a/e2e-tests/tests/tls-cert-manager/04-assert.yaml
+++ b/e2e-tests/tests/tls-cert-manager/04-assert.yaml
@@ -36,11 +36,11 @@ spec:
 status:
   conditions:
     - message: Certificate is up to date and has not expired
-      observedGeneration: 2
+      observedGeneration: 1
       reason: Ready
       status: 'True'
       type: Ready
-  revision: 2
+  revision: 1
 ---
 apiVersion: apps/v1
 kind: StatefulSet
diff --git a/e2e-tests/tests/tls-cert-manager/05-check-cert.yaml b/e2e-tests/tests/tls-cert-manager/05-check-cert.yaml
index d1b5b786c..b65c07694 100644
--- a/e2e-tests/tests/tls-cert-manager/05-check-cert.yaml
+++ b/e2e-tests/tests/tls-cert-manager/05-check-cert.yaml
@@ -17,6 +17,5 @@ commands:
         "*.tls-cert-manager-orchestrator.'"${NAMESPACE}"'.svc",
         "*.tls-cert-manager-router",
         "*.tls-cert-manager-router.'"${NAMESPACE}"'",
-        "*.tls-cert-manager-router.'"${NAMESPACE}"'.svc",
-        "mysql-1.example.com"
+        "*.tls-cert-manager-router.'"${NAMESPACE}"'.svc"
       ]'
diff --git a/e2e-tests/tests/tls-cert-manager/06-assert.yaml b/e2e-tests/tests/tls-cert-manager/06-assert.yaml
index d2589da27..6fea42802 100644
--- a/e2e-tests/tests/tls-cert-manager/06-assert.yaml
+++ b/e2e-tests/tests/tls-cert-manager/06-assert.yaml
@@ -36,29 +36,29 @@ spec:
 status:
   conditions:
     - message: Certificate is up to date and has not expired
-      observedGeneration: 2
+      observedGeneration: 1
       reason: Ready
       status: 'True'
       type: Ready
-  revision: 3
+  revision: 2
 ---
 apiVersion: apps/v1
 kind: StatefulSet
 metadata:
-  generation: 3
+  generation: 2
   name: tls-cert-manager-mysql
 status:
-  observedGeneration: 3
+  observedGeneration: 2
   replicas: 3
   readyReplicas: 3
 ---
 apiVersion: apps/v1
 kind: StatefulSet
 metadata:
-  generation: 3
+  generation: 2
   name: tls-cert-manager-orc
 status:
-  observedGeneration: 3
+  observedGeneration: 2
   replicas: 3
   readyReplicas: 3
 ---
diff --git a/pkg/controller/ps/tls.go b/pkg/controller/ps/tls.go
index b808687be..fed943d2e 100644
--- a/pkg/controller/ps/tls.go
+++ b/pkg/controller/ps/tls.go
@@ -25,7 +25,21 @@ import (
 func (r *PerconaServerMySQLReconciler) ensureTLSSecret(ctx context.Context, cr *apiv1alpha1.PerconaServerMySQL) error {
 	log := logf.FromContext(ctx)
 
-	err := r.ensureSSLByCertManager(ctx, cr)
+	secretObj := corev1.Secret{}
+	err := r.Client.Get(context.TODO(),
+		types.NamespacedName{
+			Namespace: cr.Namespace,
+			Name:      cr.Spec.SSLSecretName,
+		},
+		&secretObj,
+	)
+
+	// don't create ssl secret if it is created by customer not by operator
+	if err == nil && !metav1.IsControlledBy(&secretObj, cr) {
+		return nil
+	}
+
+	err = r.ensureSSLByCertManager(ctx, cr)
 	if err != nil {
 		if cr.Spec.TLS != nil && cr.Spec.TLS.IssuerConf != nil {
 			log.Error(err, fmt.Sprintf("Failed to ensure certificate by cert-manager. Check `.spec.tls.issuerConf` in PerconaServerMySQL %s/%s", cr.Namespace, cr.Name))