diff --git a/internal/controller/postgrescluster/helpers_test.go b/internal/controller/postgrescluster/helpers_test.go
index 9f7d17762..5677e439e 100644
--- a/internal/controller/postgrescluster/helpers_test.go
+++ b/internal/controller/postgrescluster/helpers_test.go
@@ -117,7 +117,11 @@ func testCluster() *v1beta1.PostgresCluster {
 		},
 		Spec: v1beta1.PostgresClusterSpec{
 			PostgresVersion: 13,
-			Image:           CrunchyPostgresHAImage,
+			Metadata: &v1beta1.Metadata{
+				Labels:      map[string]string{"env-label": "test-label-value"},
+				Annotations: map[string]string{"env-annotation": "test-annotation-value"},
+			},
+			Image: CrunchyPostgresHAImage,
 			ImagePullSecrets: []corev1.LocalObjectReference{{
 				Name: "myImagePullSecret"},
 			},
diff --git a/internal/controller/postgrescluster/pki.go b/internal/controller/postgrescluster/pki.go
index 0e686d4f7..1ca236951 100644
--- a/internal/controller/postgrescluster/pki.go
+++ b/internal/controller/postgrescluster/pki.go
@@ -64,6 +64,8 @@ func (r *Reconciler) reconcileRootCertificate(
 	intent.Namespace, intent.Name = cluster.Namespace, naming.RootCertSecret
 	intent.Data = make(map[string][]byte)
 	intent.OwnerReferences = existing.OwnerReferences
+	intent.Annotations = naming.Merge(cluster.Spec.Metadata.GetAnnotationsOrNil())
+	intent.Labels = naming.Merge(cluster.Spec.Metadata.GetLabelsOrNil())
 
 	// A root secret is scoped to the namespace where postgrescluster(s)
 	// are deployed. For operator deployments with postgresclusters in more than
diff --git a/internal/controller/postgrescluster/pki_test.go b/internal/controller/postgrescluster/pki_test.go
index b61e98325..cfe5d7735 100644
--- a/internal/controller/postgrescluster/pki_test.go
+++ b/internal/controller/postgrescluster/pki_test.go
@@ -137,6 +137,26 @@ func TestReconcileCerts(t *testing.T) {
 			assert.DeepEqual(t, *fromSecret, initialRoot.Certificate)
 		})
 
+		t.Run("check root CA secret labels", func(t *testing.T) {
+			err := tClient.Get(ctx, client.ObjectKeyFromObject(rootSecret), rootSecret)
+			assert.NilError(t, err)
+
+			assert.Check(t, len(rootSecret.Labels) == 1, "root CA secret labels not set")
+
+			expectedLabel := map[string]string{"env-label": "test-label-value"}
+			assert.DeepEqual(t, rootSecret.Labels, expectedLabel)
+		})
+
+		t.Run("check root CA secret annotations", func(t *testing.T) {
+			err := tClient.Get(ctx, client.ObjectKeyFromObject(rootSecret), rootSecret)
+			assert.NilError(t, err)
+
+			assert.Check(t, len(rootSecret.Annotations) == 1, "root CA secret annotations not set")
+
+			expectedAnnotation := map[string]string{"env-annotation": "test-annotation-value"}
+			assert.DeepEqual(t, rootSecret.Annotations, expectedAnnotation)
+		})
+
 		t.Run("root certificate changes", func(t *testing.T) {
 			// force the generation of a new root cert
 			// create an empty secret and apply the change