diff --git a/pkg/deploy/che_configmap.go b/pkg/deploy/che_configmap.go
index cd21c56e8f..bb4057c1c9 100644
--- a/pkg/deploy/che_configmap.go
+++ b/pkg/deploy/che_configmap.go
@@ -78,7 +78,10 @@ type CheConfigMap struct {
 }
 
 func SyncCheConfigMapToCluster(checluster *orgv1.CheCluster, proxy *Proxy, clusterAPI ClusterAPI) (*corev1.ConfigMap, error) {
-	data := GetCheConfigMapData(checluster, proxy)
+	data, err := GetCheConfigMapData(checluster, proxy, clusterAPI)
+	if err != nil {
+		return nil, err
+	}
 	specConfigMap, err := GetSpecConfigMap(checluster, CheConfigMapName, data, clusterAPI)
 	if err != nil {
 		return nil, err
@@ -87,9 +90,9 @@ func SyncCheConfigMapToCluster(checluster *orgv1.CheCluster, proxy *Proxy, clust
 	return SyncConfigMapToCluster(checluster, specConfigMap, clusterAPI)
 }
 
-// GetConfigMapData gets env values from CR spec and returns a map with key:value
+// GetCheConfigMapData gets env values from CR spec and returns a map with key:value
 // which is used in CheCluster ConfigMap to configure CheCluster master behavior
-func GetCheConfigMapData(cr *orgv1.CheCluster, proxy *Proxy) (cheEnv map[string]string) {
+func GetCheConfigMapData(cr *orgv1.CheCluster, proxy *Proxy, clusterAPI ClusterAPI) (cheEnv map[string]string, err error) {
 	cheHost := cr.Spec.Server.CheHost
 	keycloakURL := cr.Spec.Auth.IdentityProviderURL
 	isOpenShift, isOpenshift4, err := util.DetectOpenShift()
@@ -228,19 +231,30 @@ func GetCheConfigMapData(cr *orgv1.CheCluster, proxy *Proxy) (cheEnv map[string]
 	err = json.Unmarshal(out, &cheEnv)
 
 	// k8s specific envs
-	k8sCheEnv := map[string]string{
-		"CHE_INFRA_KUBERNETES_POD_SECURITY__CONTEXT_FS__GROUP":     securityContextFsGroup,
-		"CHE_INFRA_KUBERNETES_POD_SECURITY__CONTEXT_RUN__AS__USER": securityContextRunAsUser,
-		"CHE_INFRA_KUBERNETES_INGRESS_DOMAIN":                      ingressDomain,
-		"CHE_INFRA_KUBERNETES_SERVER__STRATEGY":                    ingressStrategy,
-		"CHE_INFRA_KUBERNETES_TLS__SECRET":                         tlsSecretName,
-		"CHE_INFRA_KUBERNETES_INGRESS_ANNOTATIONS__JSON":           "{\"kubernetes.io/ingress.class\": " + ingressClass + ", \"nginx.ingress.kubernetes.io/rewrite-target\": \"/$1\",\"nginx.ingress.kubernetes.io/ssl-redirect\": " + tls + ",\"nginx.ingress.kubernetes.io/proxy-connect-timeout\": \"3600\",\"nginx.ingress.kubernetes.io/proxy-read-timeout\": \"3600\"}",
-		"CHE_INFRA_KUBERNETES_INGRESS_PATH__TRANSFORM":             "%s(.*)",
-	}
 	if !isOpenShift {
+		k8sCheEnv := map[string]string{
+			"CHE_INFRA_KUBERNETES_POD_SECURITY__CONTEXT_FS__GROUP":     securityContextFsGroup,
+			"CHE_INFRA_KUBERNETES_POD_SECURITY__CONTEXT_RUN__AS__USER": securityContextRunAsUser,
+			"CHE_INFRA_KUBERNETES_INGRESS_DOMAIN":                      ingressDomain,
+			"CHE_INFRA_KUBERNETES_SERVER__STRATEGY":                    ingressStrategy,
+			"CHE_INFRA_KUBERNETES_TLS__SECRET":                         tlsSecretName,
+			"CHE_INFRA_KUBERNETES_INGRESS_ANNOTATIONS__JSON":           "{\"kubernetes.io/ingress.class\": " + ingressClass + ", \"nginx.ingress.kubernetes.io/rewrite-target\": \"/$1\",\"nginx.ingress.kubernetes.io/ssl-redirect\": " + tls + ",\"nginx.ingress.kubernetes.io/proxy-connect-timeout\": \"3600\",\"nginx.ingress.kubernetes.io/proxy-read-timeout\": \"3600\"}",
+			"CHE_INFRA_KUBERNETES_INGRESS_PATH__TRANSFORM":             "%s(.*)",
+		}
+		// Add TLS key and server certificate to properties when user workspaces should be created in another
+		// than Che server namespace, from where the Che TLS secret is not accesible.
+		if _, keyExists := cr.Spec.Server.CustomCheProperties["CHE_INFRA_KUBERNETES_NAMESPACE_DEFAULT"]; keyExists {
+			cheTLSSecret, err := GetClusterSecret(cr.Spec.K8s.TlsSecretName, cr.ObjectMeta.Namespace, clusterAPI)
+			if err != nil {
+				return nil, err
+			}
+			k8sCheEnv["CHE_INFRA_KUBERNETES_TLS__KEY"] = string(cheTLSSecret.Data["tls.key"])
+			k8sCheEnv["CHE_INFRA_KUBERNETES_TLS__CERT"] = string(cheTLSSecret.Data["tls.crt"])
+		}
+
 		addMap(cheEnv, k8sCheEnv)
 	}
 
 	addMap(cheEnv, cr.Spec.Server.CustomCheProperties)
-	return cheEnv
+	return cheEnv, nil
 }
diff --git a/pkg/deploy/che_configmap_test.go b/pkg/deploy/che_configmap_test.go
index b4dce3d4c9..1fe2e9e268 100644
--- a/pkg/deploy/che_configmap_test.go
+++ b/pkg/deploy/che_configmap_test.go
@@ -28,7 +28,7 @@ func TestNewCheConfigMap(t *testing.T) {
 	cr.Spec.Server.CheHost = "myhostname.com"
 	cr.Spec.Server.TlsSupport = true
 	cr.Spec.Auth.OpenShiftoAuth = true
-	cheEnv := GetCheConfigMapData(cr, &Proxy{})
+	cheEnv, _ := GetCheConfigMapData(cr, &Proxy{}, ClusterAPI{})
 	testCm, _ := GetSpecConfigMap(cr, CheConfigMapName, cheEnv, ClusterAPI{})
 	identityProvider := testCm.Data["CHE_INFRA_OPENSHIFT_OAUTH__IDENTITY__PROVIDER"]
 	_, isOpenshiftv4, _ := util.DetectOpenShift()
@@ -53,7 +53,7 @@ func TestConfigMapOverride(t *testing.T) {
 		"CHE_WORKSPACE_NO_PROXY": "myproxy.myhostname.com",
 	}
 	cr.Spec.Auth.OpenShiftoAuth = true
-	cheEnv := GetCheConfigMapData(cr, &Proxy{})
+	cheEnv, _ := GetCheConfigMapData(cr, &Proxy{}, ClusterAPI{})
 	testCm, _ := GetSpecConfigMap(cr, CheConfigMapName, cheEnv, ClusterAPI{})
 	if testCm.Data["CHE_WORKSPACE_NO_PROXY"] != "myproxy.myhostname.com" {
 		t.Errorf("Test failed. Expected myproxy.myhostname.com but was %s", testCm.Data["CHE_WORKSPACE_NO_PROXY"])