diff --git a/addon/v1alpha1/0000_01_addon.open-cluster-management.io_managedclusteraddons.crd.yaml b/addon/v1alpha1/0000_01_addon.open-cluster-management.io_managedclusteraddons.crd.yaml
index 614048d1e..4b6d3723e 100644
--- a/addon/v1alpha1/0000_01_addon.open-cluster-management.io_managedclusteraddons.crd.yaml
+++ b/addon/v1alpha1/0000_01_addon.open-cluster-management.io_managedclusteraddons.crd.yaml
@@ -137,6 +137,18 @@ spec:
                     description: RegistrationConfig defines the configuration of the addon agent to register to hub. The Klusterlet agent will create a csr for the addon agent with the registrationConfig.
                     type: object
                     properties:
+                      certificateStatus:
+                        description: certificateStatus actively tracks the status of the certificate used by the addon.
+                        type: object
+                        properties:
+                          expiringTimestamp:
+                            description: expiringTimestamp records the next time certificate will expire.
+                            type: string
+                            format: date-time
+                          lastRenewedTimestamp:
+                            description: lastRenewedTimestamp records the last timestamp when we approved/renewed certificates for the addon agents.
+                            type: string
+                            format: date-time
                       signerName:
                         description: signerName is the name of signer that addon agent will use to create csr.
                         type: string
diff --git a/addon/v1alpha1/types_managedclusteraddon.go b/addon/v1alpha1/types_managedclusteraddon.go
index 7c20d159c..4a5738cbd 100644
--- a/addon/v1alpha1/types_managedclusteraddon.go
+++ b/addon/v1alpha1/types_managedclusteraddon.go
@@ -58,6 +58,18 @@ type RegistrationConfig struct {
 	//
 	// +optional
 	Subject Subject `json:"subject,omitempty"`
+
+	// certificateStatus actively tracks the status of the certificate used by the addon.
+	CertificateStatus *RegistrationConfigCertificateStatus `json:"certificateStatus,omitempty"`
+}
+
+type RegistrationConfigCertificateStatus struct {
+	// lastRenewedTimestamp records the last timestamp when we approved/renewed certificates
+	// for the addon agents.
+	LastRenewedTimestamp metav1.Time `json:"lastRenewedTimestamp,omitempty"`
+
+	// expiringTimestamp records the next time certificate will expire.
+	ExpiringTimestamp metav1.Time `json:"expiringTimestamp,omitempty"`
 }
 
 // Subject is the user subject of the addon agent to be registered to the hub.
@@ -126,6 +138,16 @@ const (
 	// ManagedClusterAddOnConditionDegraded represents that the addon agent is providing degraded service on
 	// the managed cluster.
 	ManagedClusterAddOnConditionDegraded string = "Degraded"
+
+	// ManagedClusterAddOConditionTypeRegistrationApplied represents that whether the addon agent finished
+	// its registration into the hub control plane, including finishing CSR approval, signing, permission
+	// configuration, etc.
+	ManagedClusterAddOConditionTypeRegistrationApplied = "RegistrationApplied"
+
+	// ManagedClusterAddOConditionTypeManifestApplied represents that whether the corresponding resources are
+	// applied to the hub cluster as a ManifestWork resource. Note that it doesn't imply the applied ManifestWork
+	// is successfully delivered/executed by the work agent.
+	ManagedClusterAddOConditionTypeManifestApplied = "ManifestApplied"
 )
 
 // ObjectReference contains enough information to let you inspect or modify the referred object.
diff --git a/addon/v1alpha1/zz_generated.deepcopy.go b/addon/v1alpha1/zz_generated.deepcopy.go
index 0bd5ef90f..c2fd28d57 100644
--- a/addon/v1alpha1/zz_generated.deepcopy.go
+++ b/addon/v1alpha1/zz_generated.deepcopy.go
@@ -288,6 +288,11 @@ func (in *ObjectReference) DeepCopy() *ObjectReference {
 func (in *RegistrationConfig) DeepCopyInto(out *RegistrationConfig) {
 	*out = *in
 	in.Subject.DeepCopyInto(&out.Subject)
+	if in.CertificateStatus != nil {
+		in, out := &in.CertificateStatus, &out.CertificateStatus
+		*out = new(RegistrationConfigCertificateStatus)
+		(*in).DeepCopyInto(*out)
+	}
 	return
 }
 
@@ -301,6 +306,24 @@ func (in *RegistrationConfig) DeepCopy() *RegistrationConfig {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RegistrationConfigCertificateStatus) DeepCopyInto(out *RegistrationConfigCertificateStatus) {
+	*out = *in
+	in.LastRenewedTimestamp.DeepCopyInto(&out.LastRenewedTimestamp)
+	in.ExpiringTimestamp.DeepCopyInto(&out.ExpiringTimestamp)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RegistrationConfigCertificateStatus.
+func (in *RegistrationConfigCertificateStatus) DeepCopy() *RegistrationConfigCertificateStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(RegistrationConfigCertificateStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Subject) DeepCopyInto(out *Subject) {
 	*out = *in
diff --git a/addon/v1alpha1/zz_generated.swagger_doc_generated.go b/addon/v1alpha1/zz_generated.swagger_doc_generated.go
index b8dbd2192..9433b62fe 100644
--- a/addon/v1alpha1/zz_generated.swagger_doc_generated.go
+++ b/addon/v1alpha1/zz_generated.swagger_doc_generated.go
@@ -132,15 +132,25 @@ func (ObjectReference) SwaggerDoc() map[string]string {
 }
 
 var map_RegistrationConfig = map[string]string{
-	"":           "RegistrationConfig defines the configuration of the addon agent to register to hub. The Klusterlet agent will create a csr for the addon agent with the registrationConfig.",
-	"signerName": "signerName is the name of signer that addon agent will use to create csr.",
-	"subject":    "subject is the user subject of the addon agent to be registered to the hub. If it is not set, the addon agent will have the default subject \"subject\": {\n\t\"user\": \"system:open-cluster-management:addon:{addonName}:{clusterName}:{agentName}\",\n\t\"groups: [\"system:open-cluster-management:addon\", \"system:open-cluster-management:addon:{addonName}\", \"system:authenticated\"]\n}",
+	"":                  "RegistrationConfig defines the configuration of the addon agent to register to hub. The Klusterlet agent will create a csr for the addon agent with the registrationConfig.",
+	"signerName":        "signerName is the name of signer that addon agent will use to create csr.",
+	"subject":           "subject is the user subject of the addon agent to be registered to the hub. If it is not set, the addon agent will have the default subject \"subject\": {\n\t\"user\": \"system:open-cluster-management:addon:{addonName}:{clusterName}:{agentName}\",\n\t\"groups: [\"system:open-cluster-management:addon\", \"system:open-cluster-management:addon:{addonName}\", \"system:authenticated\"]\n}",
+	"certificateStatus": "certificateStatus actively tracks the status of the certificate used by the addon.",
 }
 
 func (RegistrationConfig) SwaggerDoc() map[string]string {
 	return map_RegistrationConfig
 }
 
+var map_RegistrationConfigCertificateStatus = map[string]string{
+	"lastRenewedTimestamp": "lastRenewedTimestamp records the last timestamp when we approved/renewed certificates for the addon agents.",
+	"expiringTimestamp":    "expiringTimestamp records the next time certificate will expire.",
+}
+
+func (RegistrationConfigCertificateStatus) SwaggerDoc() map[string]string {
+	return map_RegistrationConfigCertificateStatus
+}
+
 var map_Subject = map[string]string{
 	"":                 "Subject is the user subject of the addon agent to be registered to the hub.",
 	"user":             "user is the user name of the addon agent.",