diff --git a/api/v1/infinispan_webhook.go b/api/v1/infinispan_webhook.go
index 52d7ef5e2..1ecb686ed 100644
--- a/api/v1/infinispan_webhook.go
+++ b/api/v1/infinispan_webhook.go
@@ -252,10 +252,19 @@ func (i *Infinispan) validate() error {
 		allErrs = append(allErrs, err)
 	}
 
-	if i.IsEncryptionEnabled() && i.Spec.Security.EndpointEncryption.CertSecretName == "" {
-		msg := fmt.Sprintf("field must be provided for 'spec.security.endpointEncryption.certificateSourceType=%s' to be configured", CertificateSourceTypeSecret)
-		err := field.Required(field.NewPath("spec").Child("security").Child("endpointEncryption").Child("certSecretName"), msg)
-		allErrs = append(allErrs, err)
+	if i.IsEncryptionEnabled() {
+		e := i.Spec.Security.EndpointEncryption
+		if e.CertSecretName == "" {
+			msg := fmt.Sprintf("field must be provided for 'spec.security.endpointEncryption.certificateSourceType=%s' to be configured", CertificateSourceTypeSecret)
+			err := field.Required(field.NewPath("spec").Child("security").Child("endpointEncryption").Child("certSecretName"), msg)
+			allErrs = append(allErrs, err)
+		}
+
+		if e.CertServiceName != "" && e.Type == CertificateSourceTypeSecret {
+			msg := fmt.Sprintf(".certServiceName cannot be configured with Encryption .type=%s", CertificateSourceTypeSecret)
+			err := field.Forbidden(field.NewPath("spec").Child("security").Child("endpointEncryption").Child("certServiceName"), msg)
+			allErrs = append(allErrs, err)
+		}
 	}
 
 	if cl := i.Spec.ConfigListener; cl != nil {
diff --git a/api/v1/infinispan_webhook_test.go b/api/v1/infinispan_webhook_test.go
index 35f48cdf9..ce48f9791 100644
--- a/api/v1/infinispan_webhook_test.go
+++ b/api/v1/infinispan_webhook_test.go
@@ -614,6 +614,28 @@ var _ = Describe("Infinispan Webhooks", func() {
 				statusDetailCause{"FieldValueForbidden", "spec.jmx", "JMX configuration is immutable and cannot be updated after initial Infinispan creation"},
 			)
 		})
+
+		It("Should prevent incompatible TLS configuration", func() {
+			ispn := &Infinispan{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      key.Name,
+					Namespace: key.Namespace,
+				},
+				Spec: InfinispanSpec{
+					Replicas: 1,
+					Security: InfinispanSecurity{
+						EndpointEncryption: &EndpointEncryption{
+							CertSecretName:  "secret-name",
+							CertServiceName: "service.com",
+							Type:            CertificateSourceTypeSecret,
+						},
+					},
+				},
+			}
+			expectInvalidErrStatus(k8sClient.Create(ctx, ispn),
+				statusDetailCause{"FieldValueForbidden", "spec.security.endpointEncryption.certServiceName", ".certServiceName cannot be configured with Encryption .type=Secret"},
+			)
+		})
 	})
 })