diff --git a/main.go b/main.go
index add56d97c49..e90f70a0568 100644
--- a/main.go
+++ b/main.go
@@ -312,6 +312,16 @@ func innerMain() int {
 		}
 	}
 
+	// Always enable downstream checking for the webhooks, if enabled.
+	if len(webhooks) > 0 {
+		tlsChecker := webhook.NewTLSChecker(*certDir, *port)
+		setupLog.Info("setting up TLS readiness probe")
+		if err := mgr.AddReadyzCheck("tls-check", tlsChecker); err != nil {
+			setupLog.Error(err, "unable to create tls readiness check")
+			return 1
+		}
+	}
+
 	// Setup controllers asynchronously, they will block for certificate generation if needed.
 	setupErr := make(chan error)
 	ctx := ctrl.SetupSignalHandler()