diff --git a/pkg/provider/kubernetes/gateway/client.go b/pkg/provider/kubernetes/gateway/client.go
index 638760762..6c704e99e 100644
--- a/pkg/provider/kubernetes/gateway/client.go
+++ b/pkg/provider/kubernetes/gateway/client.go
@@ -757,7 +757,7 @@ func (c *clientWrapper) ListBackendTLSPoliciesForService(namespace, serviceName
 	for _, policy := range policies {
 		for _, ref := range policy.Spec.TargetRefs {
 			// The policy does not target the service.
-			if ref.Group != groupCore || ref.Kind != kindService || string(ref.Name) != serviceName {
+			if (ref.Group != "" && ref.Group != groupCore) || ref.Kind != kindService || string(ref.Name) != serviceName {
 				continue
 			}
 
diff --git a/pkg/provider/kubernetes/gateway/fixtures/httproute/with_backend_tls_policy.yml b/pkg/provider/kubernetes/gateway/fixtures/httproute/with_backend_tls_policy.yml
index e64a341b6..7748aee47 100644
--- a/pkg/provider/kubernetes/gateway/fixtures/httproute/with_backend_tls_policy.yml
+++ b/pkg/provider/kubernetes/gateway/fixtures/httproute/with_backend_tls_policy.yml
@@ -58,15 +58,18 @@ metadata:
   namespace: default
 spec:
   targetRefs:
-    - group: core
+    - group: ""
       kind: Service
       name: whoami
   validation:
     hostname: whoami
     caCertificateRefs:
-      - group: core
+      - group: ""
         kind: ConfigMap
         name: ca-file
+      - group: core
+        kind: ConfigMap
+        name: ca-file-2
 
 ---
 apiVersion: v1
@@ -76,3 +79,12 @@ metadata:
   namespace: default
 data:
   ca.crt: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0="
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: ca-file-2
+  namespace: default
+data:
+  ca.crt: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0="
diff --git a/pkg/provider/kubernetes/gateway/httproute.go b/pkg/provider/kubernetes/gateway/httproute.go
index a58d53560..198ce7fca 100644
--- a/pkg/provider/kubernetes/gateway/httproute.go
+++ b/pkg/provider/kubernetes/gateway/httproute.go
@@ -519,7 +519,7 @@ func (p *Provider) loadServersTransport(namespace string, policy gatev1alpha3.Ba
 	}
 
 	for _, caCertRef := range policy.Spec.Validation.CACertificateRefs {
-		if caCertRef.Group != groupCore || caCertRef.Kind != "ConfigMap" {
+		if (caCertRef.Group != "" && caCertRef.Group != groupCore) || caCertRef.Kind != "ConfigMap" {
 			continue
 		}
 
diff --git a/pkg/provider/kubernetes/gateway/kubernetes_test.go b/pkg/provider/kubernetes/gateway/kubernetes_test.go
index 9e884f30d..c25a4b4c0 100644
--- a/pkg/provider/kubernetes/gateway/kubernetes_test.go
+++ b/pkg/provider/kubernetes/gateway/kubernetes_test.go
@@ -2303,6 +2303,7 @@ func TestLoadHTTPRoutes(t *testing.T) {
 							ServerName: "whoami",
 							RootCAs: []types.FileOrContent{
 								"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=",
+								"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=",
 							},
 						},
 					},