diff --git a/control-plane-pki-operator/certrotationcontroller/certrotationcontroller.go b/control-plane-pki-operator/certrotationcontroller/certrotationcontroller.go
index 5e513a56dc3..d1069495826 100644
--- a/control-plane-pki-operator/certrotationcontroller/certrotationcontroller.go
+++ b/control-plane-pki-operator/certrotationcontroller/certrotationcontroller.go
@@ -91,6 +91,10 @@ func NewCertRotationController(
 			Client:        kubeClient.CoreV1(),
 			EventRecorder: eventRecorder,
 			Owner:         ownerRef,
+			AdditionalAnnotations: certrotation.AdditionalAnnotations{
+				JiraComponent: "HOSTEDCP",
+				Description:   "Root signer for customer break-glass credentials.",
+			},
 		},
 		certrotation.CABundleConfigMap{
 			Namespace:     hostedControlPlane.Namespace,
@@ -100,6 +104,10 @@ func NewCertRotationController(
 			Client:        kubeClient.CoreV1(),
 			EventRecorder: eventRecorder,
 			Owner:         ownerRef,
+			AdditionalAnnotations: certrotation.AdditionalAnnotations{
+				JiraComponent: "HOSTEDCP",
+				Description:   "Trust bundle for customer break-glass credentials.",
+			},
 		},
 		certrotation.RotatedSelfSignedCertKeySecret{
 			Namespace: hostedControlPlane.Namespace,
@@ -118,6 +126,10 @@ func NewCertRotationController(
 			Client:        kubeClient.CoreV1(),
 			EventRecorder: eventRecorder,
 			Owner:         ownerRef,
+			AdditionalAnnotations: certrotation.AdditionalAnnotations{
+				JiraComponent: "HOSTEDCP",
+				Description:   "Client certificate for customer break-glass credentials.",
+			},
 		},
 		eventRecorder,
 		clienthelpers.NewHostedControlPlaneStatusReporter(hostedControlPlane.Name, hostedControlPlane.Namespace, hypershiftClient),
@@ -137,6 +149,10 @@ func NewCertRotationController(
 			Client:        kubeClient.CoreV1(),
 			EventRecorder: eventRecorder,
 			Owner:         ownerRef,
+			AdditionalAnnotations: certrotation.AdditionalAnnotations{
+				JiraComponent: "HOSTEDCP",
+				Description:   "Root signer for SRE break-glass credentials.",
+			},
 		},
 		certrotation.CABundleConfigMap{
 			Namespace:     hostedControlPlane.Namespace,
@@ -146,6 +162,10 @@ func NewCertRotationController(
 			Client:        kubeClient.CoreV1(),
 			EventRecorder: eventRecorder,
 			Owner:         ownerRef,
+			AdditionalAnnotations: certrotation.AdditionalAnnotations{
+				JiraComponent: "HOSTEDCP",
+				Description:   "Trust bundle for SRE break-glass credentials.",
+			},
 		},
 		certrotation.RotatedSelfSignedCertKeySecret{
 			Namespace: hostedControlPlane.Namespace,
@@ -164,6 +184,10 @@ func NewCertRotationController(
 			Client:        kubeClient.CoreV1(),
 			EventRecorder: eventRecorder,
 			Owner:         ownerRef,
+			AdditionalAnnotations: certrotation.AdditionalAnnotations{
+				JiraComponent: "HOSTEDCP",
+				Description:   "Client certificate for SRE break-glass credentials.",
+			},
 		},
 		eventRecorder,
 		clienthelpers.NewHostedControlPlaneStatusReporter(hostedControlPlane.Name, hostedControlPlane.Namespace, hypershiftClient),