diff --git a/pkg/controller/certificaterequests/approver/sync.go b/pkg/controller/certificaterequests/approver/sync.go
index 7824793fb..221740a6f 100644
--- a/pkg/controller/certificaterequests/approver/sync.go
+++ b/pkg/controller/certificaterequests/approver/sync.go
@@ -53,6 +53,7 @@ func (c *Controller) Sync(ctx context.Context, cr *cmapi.CertificateRequest) (er
 	}
 
 	// Update the CertificateRequest approved condition to true.
+	cr = cr.DeepCopy()
 	apiutil.SetCertificateRequestCondition(cr,
 		cmapi.CertificateRequestConditionApproved,
 		cmmeta.ConditionTrue,
diff --git a/pkg/controller/certificates/internal/secretsmanager/secret.go b/pkg/controller/certificates/internal/secretsmanager/secret.go
index 6e388cab1..019413513 100644
--- a/pkg/controller/certificates/internal/secretsmanager/secret.go
+++ b/pkg/controller/certificates/internal/secretsmanager/secret.go
@@ -102,6 +102,7 @@ func (s *SecretsManager) UpdateData(ctx context.Context, crt *cmapi.Certificate,
 		secret.OwnerReferences = []metav1.OwnerReference{*metav1.NewControllerRef(crt, certificateGvk)}
 	}
 
+	secret = secret.DeepCopy()
 	err = s.setValues(crt, secret, data)
 	if err != nil {
 		return err