diff --git a/internal/apis/certmanager/types_certificate.go b/internal/apis/certmanager/types_certificate.go
index 8f364711b..f74b2822e 100644
--- a/internal/apis/certmanager/types_certificate.go
+++ b/internal/apis/certmanager/types_certificate.go
@@ -410,8 +410,25 @@ type PKCS12Keystore struct {
 	// PasswordSecretRef is a reference to a key in a Secret resource
 	// containing the password used to encrypt the PKCS12 keystore.
 	PasswordSecretRef cmmeta.SecretKeySelector
+
+	// Algorithm is the encryption and MAC algorithms used to create the PKCS12 keystore.
+	//
+	// If provided, allowed values are either `RC2-40-CBC:HMAC-SHA-1` or `AES-256-CBC:HMAC-SHA-2`.
+	// Default value is `RC2-40-CBC:HMAC-SHA-1` for backward compatibility.
+	// Note: By default, OpenSSL 3 can't decode PKCS#12 files created using `RC2-40-CBC:HMAC-SHA-1`.
+	Algorithm PKCS12Algorithm
 }
 
+type PKCS12Algorithm string
+
+const (
+	// PBE with RC2 certificate algorithm, PBE with 3DES key algorithm and HMAC-SHA-1 MAC algorithm.
+	RC2PKCS12Algorithm PKCS12Algorithm = "RC2-40-CBC:HMAC-SHA-1"
+
+	// PBES2 with PBKDF2-HMAC-SHA-256 and AES-256-CBC certificate and key algorithm and HMAC-SHA-2 MAC algorithm.
+	AESPKCS12Algorithm PKCS12Algorithm = "AES-256-CBC:HMAC-SHA-2"
+)
+
 // CertificateStatus defines the observed state of Certificate
 type CertificateStatus struct {
 	// List of status conditions to indicate the status of certificates.
diff --git a/internal/apis/certmanager/v1/zz_generated.conversion.go b/internal/apis/certmanager/v1/zz_generated.conversion.go
index 52119b98d..442736b17 100644
--- a/internal/apis/certmanager/v1/zz_generated.conversion.go
+++ b/internal/apis/certmanager/v1/zz_generated.conversion.go
@@ -1330,6 +1330,7 @@ func autoConvert_v1_PKCS12Keystore_To_certmanager_PKCS12Keystore(in *v1.PKCS12Ke
 	if err := internalapismetav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(&in.PasswordSecretRef, &out.PasswordSecretRef, s); err != nil {
 		return err
 	}
+	out.Algorithm = certmanager.PKCS12Algorithm(in.Algorithm)
 	return nil
 }
 
@@ -1343,6 +1344,7 @@ func autoConvert_certmanager_PKCS12Keystore_To_v1_PKCS12Keystore(in *certmanager
 	if err := internalapismetav1.Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(&in.PasswordSecretRef, &out.PasswordSecretRef, s); err != nil {
 		return err
 	}
+	out.Algorithm = v1.PKCS12Algorithm(in.Algorithm)
 	return nil
 }
 
diff --git a/internal/apis/certmanager/v1alpha2/types_certificate.go b/internal/apis/certmanager/v1alpha2/types_certificate.go
index e04e5bedd..0e6fb8fca 100644
--- a/internal/apis/certmanager/v1alpha2/types_certificate.go
+++ b/internal/apis/certmanager/v1alpha2/types_certificate.go
@@ -332,8 +332,27 @@ type PKCS12Keystore struct {
 	// PasswordSecretRef is a reference to a key in a Secret resource
 	// containing the password used to encrypt the PKCS12 keystore.
 	PasswordSecretRef cmmeta.SecretKeySelector `json:"passwordSecretRef"`
+
+	// Algorithm is the encryption and MAC algorithms used to create the PKCS12 keystore.
+	//
+	// If provided, allowed values are either `RC2-40-CBC:HMAC-SHA-1` or `AES-256-CBC:HMAC-SHA-2`.
+	// Default value is `RC2-40-CBC:HMAC-SHA-1` for backward compatibility.
+	// Note: By default, OpenSSL 3 can't decode PKCS#12 files created using `RC2-40-CBC:HMAC-SHA-1`.
+	// +optional
+	Algorithm PKCS12Algorithm `json:"algorithm,omitempty"`
 }
 
+// +kubebuilder:validation:Enum="RC2-40-CBC:HMAC-SHA-1";"AES-256-CBC:HMAC-SHA-2"
+type PKCS12Algorithm string
+
+const (
+	// PBE with RC2 certificate algorithm, PBE with 3DES key algorithm and HMAC-SHA-1 MAC algorithm.
+	RC2PKCS12Algorithm PKCS12Algorithm = "RC2-40-CBC:HMAC-SHA-1"
+
+	// PBES2 with PBKDF2-HMAC-SHA-256 and AES-256-CBC certificate and key algorithm and HMAC-SHA-2 MAC algorithm.
+	AESPKCS12Algorithm PKCS12Algorithm = "AES-256-CBC:HMAC-SHA-2"
+)
+
 // CertificateStatus defines the observed state of Certificate
 type CertificateStatus struct {
 	// List of status conditions to indicate the status of certificates.
diff --git a/internal/apis/certmanager/v1alpha2/zz_generated.conversion.go b/internal/apis/certmanager/v1alpha2/zz_generated.conversion.go
index 258e69a60..5f91a593a 100644
--- a/internal/apis/certmanager/v1alpha2/zz_generated.conversion.go
+++ b/internal/apis/certmanager/v1alpha2/zz_generated.conversion.go
@@ -1336,6 +1336,7 @@ func autoConvert_v1alpha2_PKCS12Keystore_To_certmanager_PKCS12Keystore(in *PKCS1
 	if err := apismetav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(&in.PasswordSecretRef, &out.PasswordSecretRef, s); err != nil {
 		return err
 	}
+	out.Algorithm = certmanager.PKCS12Algorithm(in.Algorithm)
 	return nil
 }
 
@@ -1349,6 +1350,7 @@ func autoConvert_certmanager_PKCS12Keystore_To_v1alpha2_PKCS12Keystore(in *certm
 	if err := apismetav1.Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(&in.PasswordSecretRef, &out.PasswordSecretRef, s); err != nil {
 		return err
 	}
+	out.Algorithm = PKCS12Algorithm(in.Algorithm)
 	return nil
 }
 
diff --git a/internal/apis/certmanager/v1alpha3/types_certificate.go b/internal/apis/certmanager/v1alpha3/types_certificate.go
index 5426318f2..4c57b710e 100644
--- a/internal/apis/certmanager/v1alpha3/types_certificate.go
+++ b/internal/apis/certmanager/v1alpha3/types_certificate.go
@@ -338,9 +338,28 @@ type PKCS12Keystore struct {
 
 	// PasswordSecretRef is a reference to a key in a Secret resource
 	// containing the password used to encrypt the PKCS12 keystore.
+
 	PasswordSecretRef cmmeta.SecretKeySelector `json:"passwordSecretRef"`
+	// Algorithm is the encryption and MAC algorithms used to create the PKCS12 keystore.
+	//
+	// If provided, allowed values are either `RC2-40-CBC:HMAC-SHA-1` or `AES-256-CBC:HMAC-SHA-2`.
+	// Default value is `RC2-40-CBC:HMAC-SHA-1` for backward compatibility.
+	// Note: By default, OpenSSL 3 can't decode PKCS#12 files created using `RC2-40-CBC:HMAC-SHA-1`.
+	// +optional
+	Algorithm PKCS12Algorithm `json:"algorithm,omitempty"`
 }
 
+// +kubebuilder:validation:Enum="RC2-40-CBC:HMAC-SHA-1";"AES-256-CBC:HMAC-SHA-2"
+type PKCS12Algorithm string
+
+const (
+	// PBE with RC2 certificate algorithm, PBE with 3DES key algorithm and HMAC-SHA-1 MAC algorithm.
+	RC2PKCS12Algorithm PKCS12Algorithm = "RC2-40-CBC:HMAC-SHA-1"
+
+	// PBES2 with PBKDF2-HMAC-SHA-256 and AES-256-CBC certificate and key algorithm and HMAC-SHA-2 MAC algorithm.
+	AESPKCS12Algorithm PKCS12Algorithm = "AES-256-CBC:HMAC-SHA-2"
+)
+
 // CertificateStatus defines the observed state of Certificate
 type CertificateStatus struct {
 	// List of status conditions to indicate the status of certificates.
diff --git a/internal/apis/certmanager/v1alpha3/zz_generated.conversion.go b/internal/apis/certmanager/v1alpha3/zz_generated.conversion.go
index f2ef03cb6..ae470cf26 100644
--- a/internal/apis/certmanager/v1alpha3/zz_generated.conversion.go
+++ b/internal/apis/certmanager/v1alpha3/zz_generated.conversion.go
@@ -1335,6 +1335,7 @@ func autoConvert_v1alpha3_PKCS12Keystore_To_certmanager_PKCS12Keystore(in *PKCS1
 	if err := apismetav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(&in.PasswordSecretRef, &out.PasswordSecretRef, s); err != nil {
 		return err
 	}
+	out.Algorithm = certmanager.PKCS12Algorithm(in.Algorithm)
 	return nil
 }
 
@@ -1348,6 +1349,7 @@ func autoConvert_certmanager_PKCS12Keystore_To_v1alpha3_PKCS12Keystore(in *certm
 	if err := apismetav1.Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(&in.PasswordSecretRef, &out.PasswordSecretRef, s); err != nil {
 		return err
 	}
+	out.Algorithm = PKCS12Algorithm(in.Algorithm)
 	return nil
 }
 
diff --git a/internal/apis/certmanager/v1beta1/types_certificate.go b/internal/apis/certmanager/v1beta1/types_certificate.go
index 8ac3ba2b6..164837c8a 100644
--- a/internal/apis/certmanager/v1beta1/types_certificate.go
+++ b/internal/apis/certmanager/v1beta1/types_certificate.go
@@ -337,8 +337,27 @@ type PKCS12Keystore struct {
 	// PasswordSecretRef is a reference to a key in a Secret resource
 	// containing the password used to encrypt the PKCS12 keystore.
 	PasswordSecretRef cmmeta.SecretKeySelector `json:"passwordSecretRef"`
+
+	// Algorithm is the encryption and MAC algorithms used to create the PKCS12 keystore.
+	//
+	// If provided, allowed values are either `RC2-40-CBC:HMAC-SHA-1` or `AES-256-CBC:HMAC-SHA-2`.
+	// Default value is `RC2-40-CBC:HMAC-SHA-1` for backward compatibility.
+	// Note: By default, OpenSSL 3 can't decode PKCS#12 files created using `RC2-40-CBC:HMAC-SHA-1`.
+	// +optional
+	Algorithm PKCS12Algorithm `json:"algorithm,omitempty"`
 }
 
+// +kubebuilder:validation:Enum="RC2-40-CBC:HMAC-SHA-1";"AES-256-CBC:HMAC-SHA-2"
+type PKCS12Algorithm string
+
+const (
+	// PBE with RC2 certificate algorithm, PBE with 3DES key algorithm and HMAC-SHA-1 MAC algorithm.
+	RC2PKCS12Algorithm PKCS12Algorithm = "RC2-40-CBC:HMAC-SHA-1"
+
+	// PBES2 with PBKDF2-HMAC-SHA-256 and AES-256-CBC certificate and key algorithm and HMAC-SHA-2 MAC algorithm.
+	AESPKCS12Algorithm PKCS12Algorithm = "AES-256-CBC:HMAC-SHA-2"
+)
+
 // CertificateStatus defines the observed state of Certificate
 type CertificateStatus struct {
 	// List of status conditions to indicate the status of certificates.
diff --git a/internal/apis/certmanager/v1beta1/zz_generated.conversion.go b/internal/apis/certmanager/v1beta1/zz_generated.conversion.go
index dbcfe16f9..7a654d9c2 100644
--- a/internal/apis/certmanager/v1beta1/zz_generated.conversion.go
+++ b/internal/apis/certmanager/v1beta1/zz_generated.conversion.go
@@ -1318,6 +1318,7 @@ func autoConvert_v1beta1_PKCS12Keystore_To_certmanager_PKCS12Keystore(in *PKCS12
 	if err := apismetav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(&in.PasswordSecretRef, &out.PasswordSecretRef, s); err != nil {
 		return err
 	}
+	out.Algorithm = certmanager.PKCS12Algorithm(in.Algorithm)
 	return nil
 }
 
@@ -1331,6 +1332,7 @@ func autoConvert_certmanager_PKCS12Keystore_To_v1beta1_PKCS12Keystore(in *certma
 	if err := apismetav1.Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(&in.PasswordSecretRef, &out.PasswordSecretRef, s); err != nil {
 		return err
 	}
+	out.Algorithm = PKCS12Algorithm(in.Algorithm)
 	return nil
 }