rename Algorithms to Profile

Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
2024-01-03 13:45:02 +01:00 · 2024-01-03 13:45:02 +01:00 · 8223df9e91
commit 8223df9e91
parent 24794feac0
13 changed files with 66 additions and 66 deletions
--- a/deploy/crds/crd-certificates.yaml
+++ b/deploy/crds/crd-certificates.yaml
@ -153,13 +153,6 @@ spec:
                        - create
                        - passwordSecretRef
                      properties:
-                        algorithms:
-                          description: "Algorithms are specifying the key and certificate encryption algorithms and the HMAC algorithm used to create the PKCS12 keystore. Default value is `LegacyRC2` for backward compatibility. \n If provided, allowed values are: `LegacyRC2`: Deprecated. Not supported by default in OpenSSL 3 or Java 20. `LegacyDES`: Less secure algorithm. Use this option for maximal compatibility. `Modern2023`: Secure algorithm. Use this option in case you have to always use secure algorithms (eg. because of company policy). Please note that the security of the algorithm is not that important in reality, because the unencrypted certificate and private key are also stored in the Secret."
-                          type: string
-                          enum:
-                            - LegacyRC2
-                            - LegacyDES
-                            - Modern2023
                        create:
                          description: Create enables PKCS12 keystore creation for the Certificate. If true, a file named `keystore.p12` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will be updated immediately. If the issuer provided a CA certificate, a file named `truststore.p12` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority
                          type: boolean
@ -175,6 +168,13 @@ spec:
                            name:
                              description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
                              type: string
+                        profile:
+                          description: "Profile specifies the key and certificate encryption algorithms and the HMAC algorithm used to create the PKCS12 keystore. Default value is `LegacyRC2` for backward compatibility. \n If provided, allowed values are: `LegacyRC2`: Deprecated. Not supported by default in OpenSSL 3 or Java 20. `LegacyDES`: Less secure algorithm. Use this option for maximal compatibility. `Modern2023`: Secure algorithm. Use this option in case you have to always use secure algorithms (eg. because of company policy). Please note that the security of the algorithm is not that important in reality, because the unencrypted certificate and private key are also stored in the Secret."
+                          type: string
+                          enum:
+                            - LegacyRC2
+                            - LegacyDES
+                            - Modern2023
                literalSubject:
                  description: "Requested X.509 certificate subject, represented using the LDAP \"String Representation of a Distinguished Name\" [1]. Important: the LDAP string format also specifies the order of the attributes in the subject, this is important when issuing certs for LDAP authentication. Example: `CN=foo,DC=corp,DC=example,DC=com` More info [1]: https://datatracker.ietf.org/doc/html/rfc4514 More info: https://github.com/cert-manager/cert-manager/issues/3203 More info: https://github.com/cert-manager/cert-manager/issues/4424 \n Cannot be set if the `subject` or `commonName` field is set. This is an Alpha Feature and is only enabled with the `--feature-gates=LiteralCertificateSubject=true` option set on both the controller and webhook components."
                  type: string
--- a/internal/apis/certmanager/types_certificate.go
+++ b/internal/apis/certmanager/types_certificate.go
@ -411,7 +411,7 @@ type PKCS12Keystore struct {
 	// containing the password used to encrypt the PKCS12 keystore.
 	PasswordSecretRef cmmeta.SecretKeySelector

-	// Algorithms are specifying the key and certificate encryption algorithms and the HMAC algorithm
+	// Profile specifies the key and certificate encryption algorithms and the HMAC algorithm
 	// used to create the PKCS12 keystore. Default value is `LegacyRC2` for backward compatibility.
 	//
 	// If provided, allowed values are:
@ -420,20 +420,20 @@ type PKCS12Keystore struct {
 	// `Modern2023`: Secure algorithm. Use this option in case you have to always use secure algorithms
 	// (eg. because of company policy). Please note that the security of the algorithm is not that important
 	// in reality, because the unencrypted certificate and private key are also stored in the Secret.
-	Algorithms PKCS12Algorithms
+	Profile PKCS12Profile
 }

-type PKCS12Algorithms string
+type PKCS12Profile string

 const (
 	// see: https://pkg.go.dev/software.sslmate.com/src/go-pkcs12#LegacyRC2
-	LegacyRC2PKCS12Algorithms PKCS12Algorithms = "LegacyRC2"
+	LegacyRC2PKCS12Profile PKCS12Profile = "LegacyRC2"

 	// see: https://pkg.go.dev/software.sslmate.com/src/go-pkcs12#LegacyDES
-	LegacyDESPKCS12Algorithms PKCS12Algorithms = "LegacyDES"
+	LegacyDESPKCS12Profile PKCS12Profile = "LegacyDES"

 	// see: https://pkg.go.dev/software.sslmate.com/src/go-pkcs12#Modern2023
-	Modern2023PKCS12Algorithms PKCS12Algorithms = "Modern2023"
+	Modern2023PKCS12Profile PKCS12Profile = "Modern2023"
 )

 // CertificateStatus defines the observed state of Certificate
--- a/internal/apis/certmanager/v1/zz_generated.conversion.go
+++ b/internal/apis/certmanager/v1/zz_generated.conversion.go
@ -1330,7 +1330,7 @@ func autoConvert_v1_PKCS12Keystore_To_certmanager_PKCS12Keystore(in *v1.PKCS12Ke
 	if err := internalapismetav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(&in.PasswordSecretRef, &out.PasswordSecretRef, s); err != nil {
 		return err
 	}
-	out.Algorithms = certmanager.PKCS12Algorithms(in.Algorithms)
+	out.Profile = certmanager.PKCS12Profile(in.Profile)
 	return nil
 }

@ -1344,7 +1344,7 @@ func autoConvert_certmanager_PKCS12Keystore_To_v1_PKCS12Keystore(in *certmanager
 	if err := internalapismetav1.Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(&in.PasswordSecretRef, &out.PasswordSecretRef, s); err != nil {
 		return err
 	}
-	out.Algorithms = v1.PKCS12Algorithms(in.Algorithms)
+	out.Profile = v1.PKCS12Profile(in.Profile)
 	return nil
 }

--- a/internal/apis/certmanager/v1alpha2/types_certificate.go
+++ b/internal/apis/certmanager/v1alpha2/types_certificate.go
@ -333,7 +333,7 @@ type PKCS12Keystore struct {
 	// containing the password used to encrypt the PKCS12 keystore.
 	PasswordSecretRef cmmeta.SecretKeySelector `json:"passwordSecretRef"`

-	// Algorithms are specifying the key and certificate encryption algorithms and the HMAC algorithm
+	// Profile specifies the key and certificate encryption algorithms and the HMAC algorithm
 	// used to create the PKCS12 keystore. Default value is `LegacyRC2` for backward compatibility.
 	//
 	// If provided, allowed values are:
@ -343,21 +343,21 @@ type PKCS12Keystore struct {
 	// (eg. because of company policy). Please note that the security of the algorithm is not that important
 	// in reality, because the unencrypted certificate and private key are also stored in the Secret.
 	// +optional
-	Algorithms PKCS12Algorithms `json:"algorithms,omitempty"`
+	Profile PKCS12Profile `json:"profile,omitempty"`
 }

 // +kubebuilder:validation:Enum=LegacyRC2;LegacyDES;Modern2023
-type PKCS12Algorithms string
+type PKCS12Profile string

 const (
 	// see: https://pkg.go.dev/software.sslmate.com/src/go-pkcs12#LegacyRC2
-	LegacyRC2PKCS12Algorithms PKCS12Algorithms = "LegacyRC2"
+	LegacyRC2PKCS12Profile PKCS12Profile = "LegacyRC2"

 	// see: https://pkg.go.dev/software.sslmate.com/src/go-pkcs12#LegacyDES
-	LegacyDESPKCS12Algorithms PKCS12Algorithms = "LegacyDES"
+	LegacyDESPKCS12Profile PKCS12Profile = "LegacyDES"

 	// see: https://pkg.go.dev/software.sslmate.com/src/go-pkcs12#Modern2023
-	Modern2023PKCS12Algorithms PKCS12Algorithms = "Modern2023"
+	Modern2023PKCS12Profile PKCS12Profile = "Modern2023"
 )

 // CertificateStatus defines the observed state of Certificate
--- a/internal/apis/certmanager/v1alpha2/zz_generated.conversion.go
+++ b/internal/apis/certmanager/v1alpha2/zz_generated.conversion.go
@ -1336,7 +1336,7 @@ func autoConvert_v1alpha2_PKCS12Keystore_To_certmanager_PKCS12Keystore(in *PKCS1
 	if err := apismetav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(&in.PasswordSecretRef, &out.PasswordSecretRef, s); err != nil {
 		return err
 	}
-	out.Algorithms = certmanager.PKCS12Algorithms(in.Algorithms)
+	out.Profile = certmanager.PKCS12Profile(in.Profile)
 	return nil
 }

@ -1350,7 +1350,7 @@ func autoConvert_certmanager_PKCS12Keystore_To_v1alpha2_PKCS12Keystore(in *certm
 	if err := apismetav1.Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(&in.PasswordSecretRef, &out.PasswordSecretRef, s); err != nil {
 		return err
 	}
-	out.Algorithms = PKCS12Algorithms(in.Algorithms)
+	out.Profile = PKCS12Profile(in.Profile)
 	return nil
 }

--- a/internal/apis/certmanager/v1alpha3/types_certificate.go
+++ b/internal/apis/certmanager/v1alpha3/types_certificate.go
@ -341,7 +341,7 @@ type PKCS12Keystore struct {

 	PasswordSecretRef cmmeta.SecretKeySelector `json:"passwordSecretRef"`

-	// Algorithms are specifying the key and certificate encryption algorithms and the HMAC algorithm
+	// Profile specifies the key and certificate encryption algorithms and the HMAC algorithm
 	// used to create the PKCS12 keystore. Default value is `LegacyRC2` for backward compatibility.
 	//
 	// If provided, allowed values are:
@ -351,21 +351,21 @@ type PKCS12Keystore struct {
 	// (eg. because of company policy). Please note that the security of the algorithm is not that important
 	// in reality, because the unencrypted certificate and private key are also stored in the Secret.
 	// +optional
-	Algorithms PKCS12Algorithms `json:"algorithms,omitempty"`
+	Profile PKCS12Profile `json:"profile,omitempty"`
 }

 // +kubebuilder:validation:Enum=LegacyRC2;LegacyDES;Modern2023
-type PKCS12Algorithms string
+type PKCS12Profile string

 const (
 	// see: https://pkg.go.dev/software.sslmate.com/src/go-pkcs12#LegacyRC2
-	LegacyRC2PKCS12Algorithms PKCS12Algorithms = "LegacyRC2"
+	LegacyRC2PKCS12Profile PKCS12Profile = "LegacyRC2"

 	// see: https://pkg.go.dev/software.sslmate.com/src/go-pkcs12#LegacyDES
-	LegacyDESPKCS12Algorithms PKCS12Algorithms = "LegacyDES"
+	LegacyDESPKCS12Profile PKCS12Profile = "LegacyDES"

 	// see: https://pkg.go.dev/software.sslmate.com/src/go-pkcs12#Modern2023
-	Modern2023PKCS12Algorithms PKCS12Algorithms = "Modern2023"
+	Modern2023PKCS12Profile PKCS12Profile = "Modern2023"
 )

 // CertificateStatus defines the observed state of Certificate
--- a/internal/apis/certmanager/v1alpha3/zz_generated.conversion.go
+++ b/internal/apis/certmanager/v1alpha3/zz_generated.conversion.go
@ -1335,7 +1335,7 @@ func autoConvert_v1alpha3_PKCS12Keystore_To_certmanager_PKCS12Keystore(in *PKCS1
 	if err := apismetav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(&in.PasswordSecretRef, &out.PasswordSecretRef, s); err != nil {
 		return err
 	}
-	out.Algorithms = certmanager.PKCS12Algorithms(in.Algorithms)
+	out.Profile = certmanager.PKCS12Profile(in.Profile)
 	return nil
 }

@ -1349,7 +1349,7 @@ func autoConvert_certmanager_PKCS12Keystore_To_v1alpha3_PKCS12Keystore(in *certm
 	if err := apismetav1.Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(&in.PasswordSecretRef, &out.PasswordSecretRef, s); err != nil {
 		return err
 	}
-	out.Algorithms = PKCS12Algorithms(in.Algorithms)
+	out.Profile = PKCS12Profile(in.Profile)
 	return nil
 }

--- a/internal/apis/certmanager/v1beta1/types_certificate.go
+++ b/internal/apis/certmanager/v1beta1/types_certificate.go
@ -338,7 +338,7 @@ type PKCS12Keystore struct {
 	// containing the password used to encrypt the PKCS12 keystore.
 	PasswordSecretRef cmmeta.SecretKeySelector `json:"passwordSecretRef"`

-	// Algorithms are specifying the key and certificate encryption algorithms and the HMAC algorithm
+	// Profile specifies the key and certificate encryption algorithms and the HMAC algorithm
 	// used to create the PKCS12 keystore. Default value is `LegacyRC2` for backward compatibility.
 	//
 	// If provided, allowed values are:
@ -348,21 +348,21 @@ type PKCS12Keystore struct {
 	// (eg. because of company policy). Please note that the security of the algorithm is not that important
 	// in reality, because the unencrypted certificate and private key are also stored in the Secret.
 	// +optional
-	Algorithms PKCS12Algorithms `json:"algorithms,omitempty"`
+	Profile PKCS12Profile `json:"profile,omitempty"`
 }

 // +kubebuilder:validation:Enum=LegacyRC2;LegacyDES;Modern2023
-type PKCS12Algorithms string
+type PKCS12Profile string

 const (
 	// see: https://pkg.go.dev/software.sslmate.com/src/go-pkcs12#LegacyRC2
-	LegacyRC2PKCS12Algorithms PKCS12Algorithms = "LegacyRC2"
+	LegacyRC2PKCS12Profile PKCS12Profile = "LegacyRC2"

 	// see: https://pkg.go.dev/software.sslmate.com/src/go-pkcs12#LegacyDES
-	LegacyDESPKCS12Algorithms PKCS12Algorithms = "LegacyDES"
+	LegacyDESPKCS12Profile PKCS12Profile = "LegacyDES"

 	// see: https://pkg.go.dev/software.sslmate.com/src/go-pkcs12#Modern2023
-	Modern2023PKCS12Algorithms PKCS12Algorithms = "Modern2023"
+	Modern2023PKCS12Profile PKCS12Profile = "Modern2023"
 )

 // CertificateStatus defines the observed state of Certificate
--- a/internal/apis/certmanager/v1beta1/zz_generated.conversion.go
+++ b/internal/apis/certmanager/v1beta1/zz_generated.conversion.go
@ -1318,7 +1318,7 @@ func autoConvert_v1beta1_PKCS12Keystore_To_certmanager_PKCS12Keystore(in *PKCS12
 	if err := apismetav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(&in.PasswordSecretRef, &out.PasswordSecretRef, s); err != nil {
 		return err
 	}
-	out.Algorithms = certmanager.PKCS12Algorithms(in.Algorithms)
+	out.Profile = certmanager.PKCS12Profile(in.Profile)
 	return nil
 }

@ -1332,7 +1332,7 @@ func autoConvert_certmanager_PKCS12Keystore_To_v1beta1_PKCS12Keystore(in *certma
 	if err := apismetav1.Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(&in.PasswordSecretRef, &out.PasswordSecretRef, s); err != nil {
 		return err
 	}
-	out.Algorithms = PKCS12Algorithms(in.Algorithms)
+	out.Profile = PKCS12Profile(in.Profile)
 	return nil
 }

--- a/pkg/apis/certmanager/v1/types_certificate.go
+++ b/pkg/apis/certmanager/v1/types_certificate.go
@ -462,7 +462,7 @@ type PKCS12Keystore struct {
 	// containing the password used to encrypt the PKCS12 keystore.
 	PasswordSecretRef cmmeta.SecretKeySelector `json:"passwordSecretRef"`

-	// Algorithms are specifying the key and certificate encryption algorithms and the HMAC algorithm
+	// Profile specifies the key and certificate encryption algorithms and the HMAC algorithm
 	// used to create the PKCS12 keystore. Default value is `LegacyRC2` for backward compatibility.
 	//
 	// If provided, allowed values are:
@ -472,21 +472,21 @@ type PKCS12Keystore struct {
 	// (eg. because of company policy). Please note that the security of the algorithm is not that important
 	// in reality, because the unencrypted certificate and private key are also stored in the Secret.
 	// +optional
-	Algorithms PKCS12Algorithms `json:"algorithms,omitempty"`
+	Profile PKCS12Profile `json:"profile,omitempty"`
 }

 // +kubebuilder:validation:Enum=LegacyRC2;LegacyDES;Modern2023
-type PKCS12Algorithms string
+type PKCS12Profile string

 const (
 	// see: https://pkg.go.dev/software.sslmate.com/src/go-pkcs12#LegacyRC2
-	LegacyRC2PKCS12Algorithms PKCS12Algorithms = "LegacyRC2"
+	LegacyRC2PKCS12Profile PKCS12Profile = "LegacyRC2"

 	// see: https://pkg.go.dev/software.sslmate.com/src/go-pkcs12#LegacyDES
-	LegacyDESPKCS12Algorithms PKCS12Algorithms = "LegacyDES"
+	LegacyDESPKCS12Profile PKCS12Profile = "LegacyDES"

 	// see: https://pkg.go.dev/software.sslmate.com/src/go-pkcs12#Modern2023
-	Modern2023PKCS12Algorithms PKCS12Algorithms = "Modern2023"
+	Modern2023PKCS12Profile PKCS12Profile = "Modern2023"
 )

 // CertificateStatus defines the observed state of Certificate
--- a/pkg/controller/certificates/issuing/internal/keystore.go
+++ b/pkg/controller/certificates/issuing/internal/keystore.go
@ -39,7 +39,7 @@ import (
 // If the certificate data contains multiple certificates, the first will be used
 // as the keystores 'certificate' and the remaining certificates will be prepended
 // to the list of CAs in the resulting keystore.
-func encodePKCS12Keystore(algorithms cmapi.PKCS12Algorithms, password string, rawKey []byte, certPem []byte, caPem []byte) ([]byte, error) {
+func encodePKCS12Keystore(profile cmapi.PKCS12Profile, password string, rawKey []byte, certPem []byte, caPem []byte) ([]byte, error) {
 	key, err := pki.DecodePrivateKeyBytes(rawKey)
 	if err != nil {
 		return nil, err
@ -61,19 +61,19 @@ func encodePKCS12Keystore(algorithms cmapi.PKCS12Algorithms, password string, ra
 		cas = append(certs[1:], cas...)
 	}

-	switch algorithms {
-	case cmapi.Modern2023PKCS12Algorithms:
+	switch profile {
+	case cmapi.Modern2023PKCS12Profile:
 		return pkcs12.Modern2023.Encode(key, certs[0], cas, password)
-	case cmapi.LegacyDESPKCS12Algorithms:
+	case cmapi.LegacyDESPKCS12Profile:
 		return pkcs12.LegacyDES.Encode(key, certs[0], cas, password)
-	case cmapi.LegacyRC2PKCS12Algorithms:
+	case cmapi.LegacyRC2PKCS12Profile:
 		return pkcs12.LegacyRC2.Encode(key, certs[0], cas, password)
 	default:
 		return pkcs12.LegacyRC2.Encode(key, certs[0], cas, password)
 	}
 }

-func encodePKCS12Truststore(algorithms cmapi.PKCS12Algorithms, password string, caPem []byte) ([]byte, error) {
+func encodePKCS12Truststore(profile cmapi.PKCS12Profile, password string, caPem []byte) ([]byte, error) {
 	ca, err := pki.DecodeX509CertificateBytes(caPem)
 	if err != nil {
 		return nil, err
@ -81,12 +81,12 @@ func encodePKCS12Truststore(algorithms cmapi.PKCS12Algorithms, password string,

 	var cas = []*x509.Certificate{ca}

-	switch algorithms {
-	case cmapi.Modern2023PKCS12Algorithms:
+	switch profile {
+	case cmapi.Modern2023PKCS12Profile:
 		return pkcs12.Modern2023.EncodeTrustStore(cas, password)
-	case cmapi.LegacyDESPKCS12Algorithms:
+	case cmapi.LegacyDESPKCS12Profile:
 		return pkcs12.LegacyDES.EncodeTrustStore(cas, password)
-	case cmapi.LegacyRC2PKCS12Algorithms:
+	case cmapi.LegacyRC2PKCS12Profile:
 		return pkcs12.LegacyRC2.EncodeTrustStore(cas, password)
 	default:
 		return pkcs12.LegacyRC2.EncodeTrustStore(cas, password)
--- a/pkg/controller/certificates/issuing/internal/keystore_test.go
+++ b/pkg/controller/certificates/issuing/internal/keystore_test.go
@ -312,8 +312,8 @@ func TestEncodePKCS12Keystore(t *testing.T) {
 	}
 	for name, test := range tests {
 		t.Run(name, func(t *testing.T) {
-			for _, algorithm := range []cmapi.PKCS12Algorithms{"", cmapi.LegacyRC2PKCS12Algorithms, cmapi.LegacyDESPKCS12Algorithms, cmapi.Modern2023PKCS12Algorithms} {
-				out, err := encodePKCS12Keystore(algorithm, test.password, test.rawKey, test.certPEM, test.caPEM)
+			for _, profile := range []cmapi.PKCS12Profile{"", cmapi.LegacyRC2PKCS12Profile, cmapi.LegacyDESPKCS12Profile, cmapi.Modern2023PKCS12Profile} {
+				out, err := encodePKCS12Keystore(profile, test.password, test.rawKey, test.certPEM, test.caPEM)
 				test.verify(t, out, err)
 			}
 		})
@ -323,8 +323,8 @@ func TestEncodePKCS12Keystore(t *testing.T) {
 		var emptyCAChain []byte = nil

 		chain := mustLeafWithChain(t)
-		for _, algorithm := range []cmapi.PKCS12Algorithms{"", cmapi.LegacyRC2PKCS12Algorithms, cmapi.LegacyDESPKCS12Algorithms, cmapi.Modern2023PKCS12Algorithms} {
-			out, err := encodePKCS12Keystore(algorithm, password, chain.leaf.keyPEM, chain.all.certsToPEM(), emptyCAChain)
+		for _, profile := range []cmapi.PKCS12Profile{"", cmapi.LegacyRC2PKCS12Profile, cmapi.LegacyDESPKCS12Profile, cmapi.Modern2023PKCS12Profile} {
+			out, err := encodePKCS12Keystore(profile, password, chain.leaf.keyPEM, chain.all.certsToPEM(), emptyCAChain)
 			require.NoError(t, err)

 			pkOut, certOut, caChain, err := pkcs12.DecodeChain(out, password)
@ -344,8 +344,8 @@ func TestEncodePKCS12Keystore(t *testing.T) {
 		require.NoError(t, err)

 		chain := mustLeafWithChain(t)
-		for _, algorithm := range []cmapi.PKCS12Algorithms{"", cmapi.LegacyRC2PKCS12Algorithms, cmapi.LegacyDESPKCS12Algorithms, cmapi.Modern2023PKCS12Algorithms} {
-			out, err := encodePKCS12Keystore(algorithm, password, chain.leaf.keyPEM, chain.all.certsToPEM(), caChainInPEM)
+		for _, profile := range []cmapi.PKCS12Profile{"", cmapi.LegacyRC2PKCS12Profile, cmapi.LegacyDESPKCS12Profile, cmapi.Modern2023PKCS12Profile} {
+			out, err := encodePKCS12Keystore(profile, password, chain.leaf.keyPEM, chain.all.certsToPEM(), caChainInPEM)
 			require.NoError(t, err)

 			pkOut, certOut, caChainOut, err := pkcs12.DecodeChain(out, password)
@ -393,8 +393,8 @@ func TestEncodePKCS12Truststore(t *testing.T) {
 	}
 	for name, test := range tests {
 		t.Run(name, func(t *testing.T) {
-			for _, algorithm := range []cmapi.PKCS12Algorithms{"", cmapi.LegacyRC2PKCS12Algorithms, cmapi.LegacyDESPKCS12Algorithms, cmapi.Modern2023PKCS12Algorithms} {
-				out, err := encodePKCS12Truststore(algorithm, test.password, test.caPEM)
+			for _, profile := range []cmapi.PKCS12Profile{"", cmapi.LegacyRC2PKCS12Profile, cmapi.LegacyDESPKCS12Profile, cmapi.Modern2023PKCS12Profile} {
+				out, err := encodePKCS12Truststore(profile, test.password, test.caPEM)
 				test.verify(t, test.caPEM, out, err)
 			}
 		})
--- a/pkg/controller/certificates/issuing/internal/secret.go
+++ b/pkg/controller/certificates/issuing/internal/secret.go
@ -258,8 +258,8 @@ func (s *SecretsManager) setKeystores(crt *cmapi.Certificate, secret *corev1.Sec
 			return fmt.Errorf("PKCS12 keystore password Secret contains no data for key %q", ref.Key)
 		}
 		pw := pwSecret.Data[ref.Key]
-		algorithms := crt.Spec.Keystores.PKCS12.Algorithms
-		keystoreData, err := encodePKCS12Keystore(algorithms, string(pw), data.PrivateKey, data.Certificate, data.CA)
+		profile := crt.Spec.Keystores.PKCS12.Profile
+		keystoreData, err := encodePKCS12Keystore(profile, string(pw), data.PrivateKey, data.Certificate, data.CA)
 		if err != nil {
 			return fmt.Errorf("error encoding PKCS12 bundle: %w", err)
 		}
@ -267,7 +267,7 @@ func (s *SecretsManager) setKeystores(crt *cmapi.Certificate, secret *corev1.Sec
 		secret.Data[cmapi.PKCS12SecretKey] = keystoreData

 		if len(data.CA) > 0 {
-			truststoreData, err := encodePKCS12Truststore(algorithms, string(pw), data.CA)
+			truststoreData, err := encodePKCS12Truststore(profile, string(pw), data.CA)
 			if err != nil {
 				return fmt.Errorf("error encoding PKCS12 trust store bundle: %w", err)
 			}