diff --git a/api/v1beta1/clusterrelocation_types.go b/api/v1beta1/clusterrelocation_types.go
index 0c18db3..e785211 100644
--- a/api/v1beta1/clusterrelocation_types.go
+++ b/api/v1beta1/clusterrelocation_types.go
@@ -129,8 +129,10 @@ type ACMRegistration struct {
 	// ClusterName will be the name of the ManagedCluster in ACM.
 	ClusterName string `json:"clusterName"`
 
-	// TokenRef is a secret reference with credentials for the ACM cluster.
-	TokenRef corev1.SecretReference `json:"tokenRef"`
+	// acmSecret is a secret reference with credentials for the ACM cluster.
+	// It must have a 'token' field. Optionally, it can have a 'ca.crt' field
+	// which provides the CA bundle for the ACM cluster.
+	ACMSecret corev1.SecretReference `json:"acmSecret"`
 
 	// KlusterletAddonConfig is the klusterlet add-on configuration.
 	KlusterletAddonConfig *agentv1.KlusterletAddonConfigSpec `json:"klusterletAddonConfig,omitempty"`
diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go
index 3963980..862ff3a 100644
--- a/api/v1beta1/zz_generated.deepcopy.go
+++ b/api/v1beta1/zz_generated.deepcopy.go
@@ -32,7 +32,7 @@ import (
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ACMRegistration) DeepCopyInto(out *ACMRegistration) {
 	*out = *in
-	out.TokenRef = in.TokenRef
+	out.ACMSecret = in.ACMSecret
 	if in.KlusterletAddonConfig != nil {
 		in, out := &in.KlusterletAddonConfig, &out.KlusterletAddonConfig
 		*out = new(agentv1.KlusterletAddonConfigSpec)
diff --git a/config/crd/bases/rhsyseng.github.io_clusterrelocations.yaml b/config/crd/bases/rhsyseng.github.io_clusterrelocations.yaml
index 02311b5..d145d83 100644
--- a/config/crd/bases/rhsyseng.github.io_clusterrelocations.yaml
+++ b/config/crd/bases/rhsyseng.github.io_clusterrelocations.yaml
@@ -39,6 +39,22 @@ spec:
                 description: ACMRegistration allows you to register this cluster to
                   a remote ACM cluster.
                 properties:
+                  acmSecret:
+                    description: acmSecret is a secret reference with credentials
+                      for the ACM cluster. It must have a 'token' field. Optionally,
+                      it can have a 'ca.crt' field which provides the CA bundle for
+                      the ACM cluster.
+                    properties:
+                      name:
+                        description: name is unique within a namespace to reference
+                          a secret resource.
+                        type: string
+                      namespace:
+                        description: namespace defines the space within which the
+                          secret name must be unique.
+                        type: string
+                    type: object
+                    x-kubernetes-map-type: atomic
                   clusterName:
                     description: ClusterName will be the name of the ManagedCluster
                       in ACM.
@@ -208,26 +224,12 @@ spec:
                     - policyController
                     - searchCollector
                     type: object
-                  tokenRef:
-                    description: TokenRef is a secret reference with credentials for
-                      the ACM cluster.
-                    properties:
-                      name:
-                        description: name is unique within a namespace to reference
-                          a secret resource.
-                        type: string
-                      namespace:
-                        description: namespace defines the space within which the
-                          secret name must be unique.
-                        type: string
-                    type: object
-                    x-kubernetes-map-type: atomic
                   url:
                     description: URL is the API URL of the ACM cluster.
                     type: string
                 required:
+                - acmSecret
                 - clusterName
-                - tokenRef
                 - url
                 type: object
               apiCertRef:
diff --git a/internal/acm/reconcile.go b/internal/acm/reconcile.go
index 0d86c12..c055590 100644
--- a/internal/acm/reconcile.go
+++ b/internal/acm/reconcile.go
@@ -40,7 +40,7 @@ func checkKlusterlet(ctx context.Context, c client.Client, logger logr.Logger) e
 	err := c.Get(ctx, types.NamespacedName{Name: "klusterlet"}, klusterlet)
 	if err == nil {
 		klusterletCondition := apimeta.FindStatusCondition(klusterlet.Status.Conditions, "Available")
-		if klusterletCondition.Status == metav1.ConditionTrue {
+		if klusterletCondition != nil && klusterletCondition.Status == metav1.ConditionTrue {
 			logger.Info("cluster registered to ACM")
 		} else {
 			return fmt.Errorf("cluster not registered to ACM")
@@ -64,14 +64,15 @@ func Reconcile(ctx context.Context, c client.Client, scheme *runtime.Scheme, rel
 	// Creating ManagedClusters (these are cluster scoped resources)
 	// Creating KlusterletAddonConfigs (these are namespace scoped resources)
 	// Getting Secrets (these are namespace scoped resources)
-	tokenSecret := &corev1.Secret{}
-	if err := c.Get(ctx, types.NamespacedName{Name: relocation.Spec.ACMRegistration.TokenRef.Name, Namespace: relocation.Spec.ACMRegistration.TokenRef.Namespace}, tokenSecret); err != nil {
+	acmSecret := &corev1.Secret{}
+	if err := c.Get(ctx, types.NamespacedName{Name: relocation.Spec.ACMRegistration.ACMSecret.Name, Namespace: relocation.Spec.ACMRegistration.ACMSecret.Namespace}, acmSecret); err != nil {
 		return err
 	}
+
 	config := rest.Config{
 		Host:            relocation.Spec.ACMRegistration.URL,
-		BearerToken:     string(tokenSecret.Data["token"]),
-		TLSClientConfig: rest.TLSClientConfig{Insecure: true}, // TODO: allow custom CA contents
+		BearerToken:     string(acmSecret.Data["token"]),
+		TLSClientConfig: rest.TLSClientConfig{CAData: acmSecret.Data["ca.crt"]},
 	}
 
 	acmClient, err := client.New(&config, client.Options{Scheme: scheme})