diff --git a/pkg/apis/serving/v1alpha1/domainmapping_lifecycle.go b/pkg/apis/serving/v1alpha1/domainmapping_lifecycle.go
index 0f9f9e494456..4ab88d4396f2 100644
--- a/pkg/apis/serving/v1alpha1/domainmapping_lifecycle.go
+++ b/pkg/apis/serving/v1alpha1/domainmapping_lifecycle.go
@@ -27,6 +27,7 @@ var domainMappingCondSet = apis.NewLivingConditionSet(
 	DomainMappingConditionDomainClaimed,
 	DomainMappingConditionReferenceResolved,
 	DomainMappingConditionIngressReady,
+	DomainMappingConditionCertificateProvisioned,
 )
 
 // GetConditionSet retrieves the condition set for this resource. Implements the KRShaped interface.
@@ -57,6 +58,60 @@ func (dms *DomainMappingStatus) InitializeConditions() {
 	domainMappingCondSet.Manage(dms).InitializeConditions()
 }
 
+const (
+	// AutoTLSNotEnabledMessage is the message which is set on the
+	// DomainMappingConditionCertificateProvisioned condition when it is set to True
+	// because AutoTLS was not enabled.
+	AutoTLSNotEnabledMessage = "autoTLS is not enabled"
+)
+
+// MarkTLSNotEnabled sets DomainMappingConditionCertificateProvisioned to true when
+// certificate provisioning was skipped because TLS was not enabled.
+func (dms *DomainMappingStatus) MarkTLSNotEnabled(msg string) {
+	domainMappingCondSet.Manage(dms).MarkTrueWithReason(DomainMappingConditionCertificateProvisioned,
+		"TLSNotEnabled", msg)
+}
+
+// MarkCertificateReady marks the DomainMappingConditionCertificateProvisioned
+// condition to indicate that the Certificate is ready.
+func (dms *DomainMappingStatus) MarkCertificateReady(name string) {
+	domainMappingCondSet.Manage(dms).MarkTrue(DomainMappingConditionCertificateProvisioned)
+}
+
+// MarkCertificateNotReady marks the DomainMappingConditionCertificateProvisioned
+// condition to indicate that the Certificate is not ready.
+func (dms *DomainMappingStatus) MarkCertificateNotReady(name string) {
+	domainMappingCondSet.Manage(dms).MarkUnknown(DomainMappingConditionCertificateProvisioned,
+		"CertificateNotReady",
+		"Certificate %s is not ready.", name)
+}
+
+// MarkCertificateNotOwned changes the DomainMappingConditionCertificateProvisioned
+// status to be false with the reason being that there is an existing
+// certificate with the name we wanted to use.
+func (dms *DomainMappingStatus) MarkCertificateNotOwned(name string) {
+	domainMappingCondSet.Manage(dms).MarkFalse(DomainMappingConditionCertificateProvisioned,
+		"CertificateNotOwned",
+		"There is an existing certificate %s that we don't own.", name)
+}
+
+// MarkCertificateProvisionFailed marks the
+// DomainMappingConditionCertificateProvisioned condition to indicate that the
+// Certificate provisioning failed.
+func (dms *DomainMappingStatus) MarkCertificateProvisionFailed(name string) {
+	domainMappingCondSet.Manage(dms).MarkFalse(DomainMappingConditionCertificateProvisioned,
+		"CertificateProvisionFailed",
+		"Certificate %s failed to be provisioned.", name)
+}
+
+// MarkHTTPDowngrade sets DomainMappingConditionCertificateProvisioned to true when plain
+// HTTP is enabled even when Certificate is not ready.
+func (dms *DomainMappingStatus) MarkHTTPDowngrade(name string) {
+	domainMappingCondSet.Manage(dms).MarkTrueWithReason(DomainMappingConditionCertificateProvisioned,
+		"HTTPDowngrade",
+		"Certificate %s is not ready downgrade HTTP.", name)
+}
+
 // MarkIngressNotConfigured changes the IngressReady condition to be unknown to reflect
 // that the Ingress does not yet have a Status.
 func (dms *DomainMappingStatus) MarkIngressNotConfigured() {
diff --git a/pkg/apis/serving/v1alpha1/domainmapping_lifecycle_test.go b/pkg/apis/serving/v1alpha1/domainmapping_lifecycle_test.go
index bbcb3ecc5426..675c448361e7 100644
--- a/pkg/apis/serving/v1alpha1/domainmapping_lifecycle_test.go
+++ b/pkg/apis/serving/v1alpha1/domainmapping_lifecycle_test.go
@@ -71,6 +71,7 @@ func TestDomainClaimConditions(t *testing.T) {
 	dms := &DomainMappingStatus{}
 
 	dms.InitializeConditions()
+	dms.MarkTLSNotEnabled("AutoTLS not yet available for DomainMapping")
 	apistest.CheckConditionOngoing(dms, DomainMappingConditionDomainClaimed, t)
 	apistest.CheckConditionOngoing(dms, DomainMappingConditionReady, t)
 
@@ -102,6 +103,7 @@ func TestReferenceResolvedCondition(t *testing.T) {
 	dms := &DomainMappingStatus{}
 
 	dms.InitializeConditions()
+	dms.MarkTLSNotEnabled("AutoTLS not yet available for DomainMapping")
 	apistest.CheckConditionOngoing(dms, DomainMappingConditionReferenceResolved, t)
 	apistest.CheckConditionOngoing(dms, DomainMappingConditionReady, t)
 
@@ -129,10 +131,53 @@ func TestReferenceResolvedCondition(t *testing.T) {
 	apistest.CheckConditionFailed(dms, DomainMappingConditionReady, t)
 }
 
+func TestCertificateNotReady(t *testing.T) {
+	dms := &DomainMappingStatus{}
+
+	dms.InitializeConditions()
+	dms.MarkCertificateNotReady("cert pending")
+
+	apistest.CheckConditionOngoing(dms, DomainMappingConditionCertificateProvisioned, t)
+}
+
+func TestCertificateProvisionFailed(t *testing.T) {
+	dms := &DomainMappingStatus{}
+
+	dms.InitializeConditions()
+	dms.MarkCertificateProvisionFailed("cert failed")
+
+	apistest.CheckConditionFailed(dms, DomainMappingConditionCertificateProvisioned, t)
+}
+
+func TestDomainMappingNotOwnCertificate(t *testing.T) {
+	dms := &DomainMappingStatus{}
+	dms.InitializeConditions()
+	dms.MarkCertificateNotOwned("cert not owned")
+
+	apistest.CheckConditionFailed(dms, DomainMappingConditionCertificateProvisioned, t)
+}
+
+func TestDomainMappingAutoTLSNotEnabled(t *testing.T) {
+	dms := &DomainMappingStatus{}
+	dms.InitializeConditions()
+	dms.MarkTLSNotEnabled(AutoTLSNotEnabledMessage)
+
+	apistest.CheckConditionSucceeded(dms, DomainMappingConditionCertificateProvisioned, t)
+}
+
+func TestDomainMappingHTTPDowngrade(t *testing.T) {
+	dms := &DomainMappingStatus{}
+	dms.InitializeConditions()
+	dms.MarkHTTPDowngrade("downgraded to HTTP because we can't obtain cert")
+
+	apistest.CheckConditionSucceeded(dms, DomainMappingConditionCertificateProvisioned, t)
+}
+
 func TestPropagateIngressStatus(t *testing.T) {
 	dms := &DomainMappingStatus{}
 
 	dms.InitializeConditions()
+	dms.MarkTLSNotEnabled("AutoTLS not yet available for DomainMapping")
 	apistest.CheckConditionOngoing(dms, DomainMappingConditionIngressReady, t)
 	apistest.CheckConditionOngoing(dms, DomainMappingConditionReady, t)
 
diff --git a/pkg/apis/serving/v1alpha1/domainmapping_types.go b/pkg/apis/serving/v1alpha1/domainmapping_types.go
index 8421afdf0d2a..0fa82ca951c0 100644
--- a/pkg/apis/serving/v1alpha1/domainmapping_types.go
+++ b/pkg/apis/serving/v1alpha1/domainmapping_types.go
@@ -106,6 +106,10 @@ const (
 	// DomainMappingConditionDomainClaimed reflects that the ClusterDomainClaim
 	// for this DomainMapping exists, and is owned by this DomainMapping.
 	DomainMappingConditionDomainClaimed apis.ConditionType = "DomainClaimed"
+
+	// DomainMappingConditionCertificateProvisioned is set to False when the
+	// Knative Certificates fail to be provisioned for the DomainMapping.
+	DomainMappingConditionCertificateProvisioned apis.ConditionType = "CertificateProvisioned"
 )
 
 // GetStatus retrieves the status of the DomainMapping. Implements the KRShaped interface.
diff --git a/pkg/reconciler/domainmapping/reconciler.go b/pkg/reconciler/domainmapping/reconciler.go
index 17ec099b664a..f0da3bdfac80 100644
--- a/pkg/reconciler/domainmapping/reconciler.go
+++ b/pkg/reconciler/domainmapping/reconciler.go
@@ -58,6 +58,9 @@ func (r *Reconciler) ReconcileKind(ctx context.Context, dm *v1alpha1.DomainMappi
 	logger := logging.FromContext(ctx)
 	logger.Debugf("Reconciling DomainMapping %s/%s", dm.Namespace, dm.Name)
 
+	// TODO(https://github.com/knative/serving/issues/10247)
+	dm.Status.MarkTLSNotEnabled("AutoTLS for DomainMapping is not implemented")
+
 	// Defensively assume the ingress is not configured until we manage to
 	// successfully reconcile it below. This avoids error cases where we fail
 	// before we've reconciled the ingress and get a new ObservedGeneration but
diff --git a/pkg/reconciler/domainmapping/table_test.go b/pkg/reconciler/domainmapping/table_test.go
index 230ddca68875..7243ae9727c7 100644
--- a/pkg/reconciler/domainmapping/table_test.go
+++ b/pkg/reconciler/domainmapping/table_test.go
@@ -604,6 +604,7 @@ func withPropagatedStatus(status netv1alpha1.IngressStatus) domainMappingOption
 
 func withInitDomainMappingConditions(dm *v1alpha1.DomainMapping) {
 	dm.Status.InitializeConditions()
+	dm.Status.MarkTLSNotEnabled("AutoTLS for DomainMapping is not implemented")
 }
 
 func withDomainClaimNotOwned(dm *v1alpha1.DomainMapping) {