diff --git a/pkg/controller/certificates/sync.go b/pkg/controller/certificates/sync.go
index 9dfc01e88..8430c4386 100644
--- a/pkg/controller/certificates/sync.go
+++ b/pkg/controller/certificates/sync.go
@@ -218,8 +218,8 @@ func (c *Controller) certificateMatchesSpec(crt *v1alpha1.Certificate, key crypt
 
 	// validate the ip addresses are correct
 	expectedIPAddresses := pki.IPAddressesNameForCertificate(crt)
-	if !util.EqualUnsorted(util.IPAddressesToString(cert.IPAddresses), expectedIPAddresses) {
-		errs = append(errs, fmt.Sprintf("IP Addresses on TLS certificate not up to date: %q", util.IPAddressesToString(cert.IPAddresses)))
+	if !util.EqualUnsorted(pki.IPAddressesToString(cert.IPAddresses), expectedIPAddresses) {
+		errs = append(errs, fmt.Sprintf("IP Addresses on TLS certificate not up to date: %q", pki.IPAddressesToString(cert.IPAddresses)))
 	}
 
 	return len(errs) == 0, errs
@@ -320,7 +320,7 @@ func (c *Controller) updateSecret(crt *v1alpha1.Certificate, namespace string, c
 		secret.Annotations[v1alpha1.IssuerKindAnnotationKey] = issuerKind(crt)
 		secret.Annotations[v1alpha1.CommonNameAnnotationKey] = x509Cert.Subject.CommonName
 		secret.Annotations[v1alpha1.AltNamesAnnotationKey] = strings.Join(x509Cert.DNSNames, ",")
-		secret.Annotations[v1alpha1.IPSANAnnotationKey] = strings.Join(util.IPAddressesToString(x509Cert.IPAddresses), ",")
+		secret.Annotations[v1alpha1.IPSANAnnotationKey] = strings.Join(pki.IPAddressesToString(x509Cert.IPAddresses), ",")
 	}
 
 	// Always set the certificate name label on the target secret
diff --git a/pkg/issuer/vault/issue.go b/pkg/issuer/vault/issue.go
index f582307ad..76f32ea1a 100644
--- a/pkg/issuer/vault/issue.go
+++ b/pkg/issuer/vault/issue.go
@@ -22,7 +22,6 @@ import (
 	"crypto/x509"
 	"encoding/pem"
 	"fmt"
-	"net"
 	"net/http"
 	"path"
 	"strings"
@@ -94,7 +93,7 @@ func (v *Vault) Issue(ctx context.Context, crt *v1alpha1.Certificate) (*issuer.I
 		certDuration = crt.Spec.Duration.Duration
 	}
 
-	certPem, caPem, err := v.requestVaultCert(template.Subject.CommonName, certDuration, template.DNSNames, ipAddressesToString(template.IPAddresses), pemRequestBuf.Bytes())
+	certPem, caPem, err := v.requestVaultCert(template.Subject.CommonName, certDuration, template.DNSNames, pki.IPAddressesToString(template.IPAddresses), pemRequestBuf.Bytes())
 	if err != nil {
 		v.Recorder.Eventf(crt, corev1.EventTypeWarning, "ErrorSigning", "Failed to request certificate: %v", err)
 		return nil, err
@@ -318,10 +317,3 @@ func (v *Vault) vaultTokenRef(name, key string) (string, error) {
 	return token, nil
 }
 
-func ipAddressesToString(ipAddresses []net.IP) []string {
-	var ipNames []string
-	for _, ip := range ipAddresses {
-		ipNames = append(ipNames, ip.String())
-	}
-	return ipNames
-}
diff --git a/pkg/util/pki/csr.go b/pkg/util/pki/csr.go
index a5718f9e1..1bc7a8fe4 100644
--- a/pkg/util/pki/csr.go
+++ b/pkg/util/pki/csr.go
@@ -78,6 +78,14 @@ func IPAddressesNameForCertificate(crt *v1alpha1.Certificate) []string {
 	return removeDuplicates(ipAddressNames)
 }
 
+func IPAddressesToString(ipAddresses []net.IP) []string {
+	var ipNames []string
+	for _, ip := range ipAddresses {
+		ipNames = append(ipNames, ip.String())
+	}
+	return ipNames
+}
+
 func removeDuplicates(in []string) []string {
 	var found []string
 Outer:
diff --git a/pkg/util/util.go b/pkg/util/util.go
index b7717b573..cfbeb678d 100644
--- a/pkg/util/util.go
+++ b/pkg/util/util.go
@@ -18,7 +18,6 @@ package util
 
 import (
 	"math/rand"
-	"net"
 	"sort"
 	"time"
 )
@@ -77,10 +76,3 @@ func Contains(ss []string, s string) bool {
 	return false
 }
 
-func IPAddressesToString(ipAddresses []net.IP) []string {
-	var ipNames []string
-	for _, ip := range ipAddresses {
-		ipNames = append(ipNames, ip.String())
-	}
-	return ipNames
-}