diff --git a/servicecertsigner/v1alpha1/types.go b/servicecertsigner/v1alpha1/types.go
index 5ae45591088..0393c412211 100644
--- a/servicecertsigner/v1alpha1/types.go
+++ b/servicecertsigner/v1alpha1/types.go
@@ -22,6 +22,16 @@ type ServiceServingCertSignerConfig struct {
 
 	// signer holds the signing information used to automatically sign serving certificates.
 	Signer configv1.CertInfo `json:"signer"`
+
+	// IntermediateCertFile is the name of a file containing a
+	// PEM-encoded certificate. Only required if the initial CA has
+	// been rotated. The certificate should consist of the public key
+	// of the current CA signed by the private key of the previous
+	// CA. When included with a serving cert generated by the current
+	// CA, this certificate should allow clients with a stale CA bundle
+	// to trust the serving cert.
+	// +optional
+	IntermediateCertFile string `json:"intermediateCertFile"`
 }
 
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
diff --git a/servicecertsigner/v1alpha1/zz_generated.swagger_doc_generated.go b/servicecertsigner/v1alpha1/zz_generated.swagger_doc_generated.go
index 3401480cd85..6987ade923d 100644
--- a/servicecertsigner/v1alpha1/zz_generated.swagger_doc_generated.go
+++ b/servicecertsigner/v1alpha1/zz_generated.swagger_doc_generated.go
@@ -58,8 +58,9 @@ func (ServiceCertSignerOperatorConfigSpec) SwaggerDoc() map[string]string {
 }
 
 var map_ServiceServingCertSignerConfig = map[string]string{
-	"":       "ServiceServingCertSignerConfig provides information to configure a serving serving cert signing controller",
-	"signer": "signer holds the signing information used to automatically sign serving certificates.",
+	"":                     "ServiceServingCertSignerConfig provides information to configure a serving serving cert signing controller",
+	"signer":               "signer holds the signing information used to automatically sign serving certificates.",
+	"intermediateCertFile": "IntermediateCertFile is the name of a file containing a PEM-encoded certificate. Only required if the initial CA has been rotated. The certificate should consist of the public key of the current CA signed by the private key of the previous CA. When included with a serving cert generated by the current CA, this certificate should allow clients with a stale CA bundle to trust the serving cert.",
 }
 
 func (ServiceServingCertSignerConfig) SwaggerDoc() map[string]string {