diff --git a/pkg/cmd/start/bootstrap.go b/pkg/cmd/start/bootstrap.go
index 613163b8f..4420fa660 100644
--- a/pkg/cmd/start/bootstrap.go
+++ b/pkg/cmd/start/bootstrap.go
@@ -2,6 +2,7 @@ package start
 
 import (
 	"context"
+	"crypto/tls"
 	"flag"
 	"fmt"
 	"os"
@@ -52,6 +53,10 @@ import (
 	esv1 "github.com/openshift/elasticsearch-operator/apis/logging/v1"
 )
 
+// We should avoid that users unknowingly use a vulnerable TLS version.
+// The defaults should be a safe configuration.
+const defaultMinTLSVersion = tls.VersionTLS12
+
 var (
 	scheme   = k8sruntime.NewScheme()
 	setupLog = ctrl.Log.WithName("setup")
@@ -320,10 +325,16 @@ func createManager(ctx context.Context, cfg *rest.Config) manager.Manager {
 	leaseDuration := time.Second * 137
 	renewDeadline := time.Second * 107
 	retryPeriod := time.Second * 26
+
+	optionsTlSOptsFuncs := []func(*tls.Config){
+		func(config *tls.Config) { minTlsDefault(config) },
+	}
+
 	options := ctrl.Options{
 		Scheme:                 scheme,
 		MetricsBindAddress:     metricsAddr,
 		Port:                   webhookPort,
+		TLSOpts:                optionsTlSOptsFuncs,
 		HealthProbeBindAddress: probeAddr,
 		LeaderElection:         enableLeaderElection,
 		LeaderElectionID:       "31e04290.jaegertracing.io",
@@ -434,3 +445,7 @@ func getNamespace(ctx context.Context) string {
 
 	return podNamespace
 }
+
+func minTlsDefault(cfg *tls.Config) {
+	cfg.MinVersion = defaultMinTLSVersion
+}