diff --git a/deploy/crds/crd-certificates.yaml b/deploy/crds/crd-certificates.yaml
index 93c06123b..f01736f42 100644
--- a/deploy/crds/crd-certificates.yaml
+++ b/deploy/crds/crd-certificates.yaml
@@ -154,7 +154,7 @@ spec:
                         - passwordSecretRef
                       properties:
                         algorithms:
-                          description: "Algorithms are specifying the key and certificate encryption algorithms and the HMAC algorithm used to create the PKCS12 keystore. Default value is `LegacyRC2` for backward compatibility. \n If provided, allowed values are: `LegacyRC2`: Deprecated. Not supported by default in OpenSSL 3 or Java 20. `LegacyDES`: Less secure, used for maximal compatibility. `Modern2023`: Preferred for security, used when indicated by policy. PEM format also stored in Secret."
+                          description: "Algorithms are specifying the key and certificate encryption algorithms and the HMAC algorithm used to create the PKCS12 keystore. Default value is `LegacyRC2` for backward compatibility. \n If provided, allowed values are: `LegacyRC2`: Deprecated. Not supported by default in OpenSSL 3 or Java 20. `LegacyDES`: Less secure algorithm. Use this option for maximal compatibility. `Modern2023`: Secure algorithm. Use this option in case you have to always use secure algorithms (eg. because of company policy). Please note that the security of the algorithm is not that important in reality, because the unencrypted certificate and private key are also stored in the Secret."
                           type: string
                           enum:
                             - LegacyRC2
diff --git a/internal/apis/certmanager/types_certificate.go b/internal/apis/certmanager/types_certificate.go
index eba47b2cd..497630f9d 100644
--- a/internal/apis/certmanager/types_certificate.go
+++ b/internal/apis/certmanager/types_certificate.go
@@ -416,8 +416,10 @@ type PKCS12Keystore struct {
 	//
 	// If provided, allowed values are:
 	// `LegacyRC2`: Deprecated. Not supported by default in OpenSSL 3 or Java 20.
-	// `LegacyDES`: Less secure, used for maximal compatibility.
-	// `Modern2023`: Preferred for security, used when indicated by policy. PEM format also stored in Secret.
+	// `LegacyDES`: Less secure algorithm. Use this option for maximal compatibility.
+	// `Modern2023`: Secure algorithm. Use this option in case you have to always use secure algorithms
+	// (eg. because of company policy). Please note that the security of the algorithm is not that important
+	// in reality, because the unencrypted certificate and private key are also stored in the Secret.
 	Algorithms PKCS12Algorithms
 }
 
diff --git a/internal/apis/certmanager/v1alpha2/types_certificate.go b/internal/apis/certmanager/v1alpha2/types_certificate.go
index bf9cb11f2..942b544a9 100644
--- a/internal/apis/certmanager/v1alpha2/types_certificate.go
+++ b/internal/apis/certmanager/v1alpha2/types_certificate.go
@@ -338,8 +338,10 @@ type PKCS12Keystore struct {
 	//
 	// If provided, allowed values are:
 	// `LegacyRC2`: Deprecated. Not supported by default in OpenSSL 3 or Java 20.
-	// `LegacyDES`: Less secure, used for maximal compatibility.
-	// `Modern2023`: Preferred for security, used when indicated by policy. PEM format also stored in Secret.
+	// `LegacyDES`: Less secure algorithm. Use this option for maximal compatibility.
+	// `Modern2023`: Secure algorithm. Use this option in case you have to always use secure algorithms
+	// (eg. because of company policy). Please note that the security of the algorithm is not that important
+	// in reality, because the unencrypted certificate and private key are also stored in the Secret.
 	// +optional
 	Algorithms PKCS12Algorithms `json:"algorithms,omitempty"`
 }
diff --git a/internal/apis/certmanager/v1alpha3/types_certificate.go b/internal/apis/certmanager/v1alpha3/types_certificate.go
index 57225c1f1..d9e341cbc 100644
--- a/internal/apis/certmanager/v1alpha3/types_certificate.go
+++ b/internal/apis/certmanager/v1alpha3/types_certificate.go
@@ -346,8 +346,10 @@ type PKCS12Keystore struct {
 	//
 	// If provided, allowed values are:
 	// `LegacyRC2`: Deprecated. Not supported by default in OpenSSL 3 or Java 20.
-	// `LegacyDES`: Less secure, used for maximal compatibility.
-	// `Modern2023`: Preferred for security, used when indicated by policy. PEM format also stored in Secret.
+	// `LegacyDES`: Less secure algorithm. Use this option for maximal compatibility.
+	// `Modern2023`: Secure algorithm. Use this option in case you have to always use secure algorithms
+	// (eg. because of company policy). Please note that the security of the algorithm is not that important
+	// in reality, because the unencrypted certificate and private key are also stored in the Secret.
 	// +optional
 	Algorithms PKCS12Algorithms `json:"algorithms,omitempty"`
 }
diff --git a/internal/apis/certmanager/v1beta1/types_certificate.go b/internal/apis/certmanager/v1beta1/types_certificate.go
index d60f48b3d..b576345d0 100644
--- a/internal/apis/certmanager/v1beta1/types_certificate.go
+++ b/internal/apis/certmanager/v1beta1/types_certificate.go
@@ -343,8 +343,10 @@ type PKCS12Keystore struct {
 	//
 	// If provided, allowed values are:
 	// `LegacyRC2`: Deprecated. Not supported by default in OpenSSL 3 or Java 20.
-	// `LegacyDES`: Less secure, used for maximal compatibility.
-	// `Modern2023`: Preferred for security, used when indicated by policy. PEM format also stored in Secret.
+	// `LegacyDES`: Less secure algorithm. Use this option for maximal compatibility.
+	// `Modern2023`: Secure algorithm. Use this option in case you have to always use secure algorithms
+	// (eg. because of company policy). Please note that the security of the algorithm is not that important
+	// in reality, because the unencrypted certificate and private key are also stored in the Secret.
 	// +optional
 	Algorithms PKCS12Algorithms `json:"algorithms,omitempty"`
 }
diff --git a/pkg/apis/certmanager/v1/types_certificate.go b/pkg/apis/certmanager/v1/types_certificate.go
index 2fdfddea1..4acd37394 100644
--- a/pkg/apis/certmanager/v1/types_certificate.go
+++ b/pkg/apis/certmanager/v1/types_certificate.go
@@ -467,8 +467,10 @@ type PKCS12Keystore struct {
 	//
 	// If provided, allowed values are:
 	// `LegacyRC2`: Deprecated. Not supported by default in OpenSSL 3 or Java 20.
-	// `LegacyDES`: Less secure, used for maximal compatibility.
-	// `Modern2023`: Preferred for security, used when indicated by policy. PEM format also stored in Secret.
+	// `LegacyDES`: Less secure algorithm. Use this option for maximal compatibility.
+	// `Modern2023`: Secure algorithm. Use this option in case you have to always use secure algorithms
+	// (eg. because of company policy). Please note that the security of the algorithm is not that important
+	// in reality, because the unencrypted certificate and private key are also stored in the Secret.
 	// +optional
 	Algorithms PKCS12Algorithms `json:"algorithms,omitempty"`
 }