diff --git a/charts/osm/README.md b/charts/osm/README.md
index 058120bb75..c2dacbffdd 100644
--- a/charts/osm/README.md
+++ b/charts/osm/README.md
@@ -173,6 +173,7 @@ The following table lists the configurable parameters of the osm chart and their
 | osm.tracing.endpoint | string | `"/api/v2/spans"` | Tracing collector's API path where the spans will be sent to |
 | osm.tracing.image | string | `"jaegertracing/all-in-one"` | Image used for tracing |
 | osm.tracing.port | int | `9411` | Port of the tracing collector service |
+| osm.trustDomain | string | `"cluster.local"` | The trust domain to use as part of the common name when requesting new certificates. |
 | osm.validatorWebhook.webhookConfigurationName | string | `""` | Name of the ValidatingWebhookConfiguration |
 | osm.vault.host | string | `""` | Hashicorp Vault host/service - where Vault is installed |
 | osm.vault.port | int | `8200` | port to use to connect to Vault |
diff --git a/charts/osm/templates/preset-mesh-root-certificate.yaml b/charts/osm/templates/preset-mesh-root-certificate.yaml
index 00a1e412d9..ab97a53ac6 100644
--- a/charts/osm/templates/preset-mesh-root-certificate.yaml
+++ b/charts/osm/templates/preset-mesh-root-certificate.yaml
@@ -6,6 +6,7 @@ metadata:
 data:
   preset-mesh-root-certificate.json: |
     {
+      "trustDomain": {{.Values.osm.trustDomain | mustToJson}},
       "provider": {
         {{- if eq (.Values.osm.certificateProvider.kind | lower) "tresor"}}
         "tresor": {
diff --git a/charts/osm/values.schema.json b/charts/osm/values.schema.json
index f8604a170b..4345020ce0 100644
--- a/charts/osm/values.schema.json
+++ b/charts/osm/values.schema.json
@@ -432,6 +432,16 @@
                         "envoyproxy/envoy-windows:v1.19.3@sha256:f990f024e7e95f07b6c0d416684734607761e382c35d1ba9414c7e3fbf23969c"
                     ]
                 },
+                "trustDomain": {
+                    "$id": "#/properties/osm/properties/trustDomain",
+                    "type": "string",
+                    "title": "The certificate issuance Trust Domain",
+                    "description": "The trust domain to use as part of the common name when requesting new certificates.",
+                    "examples": [
+                        "cluster.local",
+                        "example.com"
+                    ]
+                },
                 "certificateProvider": {
                     "$id": "#/properties/osm/properties/certificateProvider",
                     "type": "object",
diff --git a/charts/osm/values.yaml b/charts/osm/values.yaml
index 61057a5405..df8f1ec41c 100644
--- a/charts/osm/values.yaml
+++ b/charts/osm/values.yaml
@@ -108,6 +108,9 @@ osm:
     # -- Image used for Prometheus
     image: prom/prometheus:v2.34.0
 
+  # -- The trust domain to use as part of the common name when requesting new certificates.
+  trustDomain: cluster.local
+
   certificateProvider:
     # -- The Certificate manager type: `tresor`, `vault` or `cert-manager`
     kind: tresor
diff --git a/cmd/osm-bootstrap/crds/config_mesh_root_certificate.yaml b/cmd/osm-bootstrap/crds/config_mesh_root_certificate.yaml
index ba5366b6d2..d6266d6b26 100644
--- a/cmd/osm-bootstrap/crds/config_mesh_root_certificate.yaml
+++ b/cmd/osm-bootstrap/crds/config_mesh_root_certificate.yaml
@@ -19,7 +19,7 @@ kind: CustomResourceDefinition
 metadata:
   name: meshrootcertificates.config.openservicemesh.io
   labels:
-    app.kubernetes.io/name : "openservicemesh.io"
+    app.kubernetes.io/name: "openservicemesh.io"
 spec:
   group: config.openservicemesh.io
   scope: Namespaced
@@ -35,14 +35,14 @@ spec:
       served: true
       storage: true
       additionalPrinterColumns:
-      - description: Current state of the MeshRootCertificate config
-        jsonPath: .status.currentState
-        name: State
-        type: string
-      - description: Current rotationStage of the MeshRootCertificate config
-        jsonPath: .status.currentRotationStage
-        name: RotationStage
-        type: string
+        - description: Current state of the MeshRootCertificate config
+          jsonPath: .status.currentState
+          name: State
+          type: string
+        - description: Current rotationStage of the MeshRootCertificate config
+          jsonPath: .status.currentRotationStage
+          name: RotationStage
+          type: string
       schema:
         openAPIV3Schema:
           type: object
@@ -52,6 +52,10 @@ spec:
               required:
                 - provider
               properties:
+                trustDomain:
+                  description: Trust Domain to use in common name for certificates, e.g. "example.com"
+                  type: string
+                  default: cluster.local
                 provider:
                   description: Certificate provider used by the mesh control plane
                   type: object
@@ -149,9 +153,9 @@ spec:
                                   description: Namespace of the kubernetes secret
                                   type: string
                   oneOf:
-                    - required: ['certManager']
-                    - required: ['vault']
-                    - required: ['tresor']
+                    - required: ["certManager"]
+                    - required: ["vault"]
+                    - required: ["tresor"]
             status:
               type: object
               x-kubernetes-preserve-unknown-fields: true
diff --git a/pkg/apis/config/v1alpha2/meshrootcertificate.go b/pkg/apis/config/v1alpha2/meshrootcertificate.go
index a0f06ae7cb..146dcfd993 100644
--- a/pkg/apis/config/v1alpha2/meshrootcertificate.go
+++ b/pkg/apis/config/v1alpha2/meshrootcertificate.go
@@ -30,6 +30,9 @@ type MeshRootCertificate struct {
 type MeshRootCertificateSpec struct {
 	// Provider specifies the mesh certificate provider
 	Provider ProviderSpec `json:"provider"`
+
+	// TrustDomain is the trust domain to use as a suffix in Common Names for new certificates.
+	TrustDomain string `json:"trustDomain"`
 }
 
 // ProviderSpec defines the certificate provider used by the mesh control plane