diff --git a/pkg/apis/certmanager/v1alpha2/types_certificate.go b/pkg/apis/certmanager/v1alpha2/types_certificate.go
index 74a4b0d46..ceb9914cf 100644
--- a/pkg/apis/certmanager/v1alpha2/types_certificate.go
+++ b/pkg/apis/certmanager/v1alpha2/types_certificate.go
@@ -133,6 +133,10 @@ type CertificateSpec struct {
 	// If provided, value must be between 2048 and 8192 inclusive when KeyAlgorithm is
 	// empty or is set to "rsa", and value must be one of (256, 384, 521) when
 	// KeyAlgorithm is set to "ecdsa".
+	// +kubebuilder:validation:ExclusiveMaximum=false
+	// +kubebuilder:validation:Maximum=8192
+	// +kubebuilder:validation:ExclusiveMinimum=false
+	// +kubebuilder:validation:Minimum=0
 	// +optional
 	KeySize int `json:"keySize,omitempty"`
 
diff --git a/pkg/apis/certmanager/v1alpha3/types_certificate.go b/pkg/apis/certmanager/v1alpha3/types_certificate.go
index 0dec73d16..ed371da1f 100644
--- a/pkg/apis/certmanager/v1alpha3/types_certificate.go
+++ b/pkg/apis/certmanager/v1alpha3/types_certificate.go
@@ -129,6 +129,10 @@ type CertificateSpec struct {
 	// If provided, value must be between 2048 and 8192 inclusive when KeyAlgorithm is
 	// empty or is set to "rsa", and value must be one of (256, 384, 521) when
 	// KeyAlgorithm is set to "ecdsa".
+	// +kubebuilder:validation:ExclusiveMaximum=false
+	// +kubebuilder:validation:Maximum=8192
+	// +kubebuilder:validation:ExclusiveMinimum=false
+	// +kubebuilder:validation:Minimum=0
 	// +optional
 	KeySize int `json:"keySize,omitempty"`
 
diff --git a/pkg/internal/apis/certmanager/validation/certificate.go b/pkg/internal/apis/certmanager/validation/certificate.go
index e6e3a59cc..dbd1c4af6 100644
--- a/pkg/internal/apis/certmanager/validation/certificate.go
+++ b/pkg/internal/apis/certmanager/validation/certificate.go
@@ -52,9 +52,6 @@ func ValidateCertificateSpec(crt *cmapi.CertificateSpec, fldPath *field.Path) fi
 	if len(crt.IPAddresses) > 0 {
 		el = append(el, validateIPAddresses(crt, fldPath)...)
 	}
-	if crt.KeySize < 0 {
-		el = append(el, field.Invalid(fldPath.Child("keySize"), crt.KeySize, "cannot be less than zero"))
-	}
 	switch crt.KeyAlgorithm {
 	case cmapi.KeyAlgorithm(""):
 	case cmapi.RSAKeyAlgorithm:
@@ -75,11 +72,6 @@ func ValidateCertificateSpec(crt *cmapi.CertificateSpec, fldPath *field.Path) fi
 	if len(crt.Usages) > 0 {
 		el = append(el, validateUsages(crt, fldPath)...)
 	}
-	switch crt.KeyEncoding {
-	case cmapi.KeyEncoding(""), cmapi.PKCS1, cmapi.PKCS8:
-	default:
-		el = append(el, field.Invalid(fldPath.Child("keyEncoding"), crt.KeyEncoding, "must be either empty or one of pkcs1 or pkcs8"))
-	}
 	return el
 }
 
diff --git a/pkg/internal/apis/certmanager/validation/certificate_test.go b/pkg/internal/apis/certmanager/validation/certificate_test.go
index 65c7cfca8..0beb75cb3 100644
--- a/pkg/internal/apis/certmanager/validation/certificate_test.go
+++ b/pkg/internal/apis/certmanager/validation/certificate_test.go
@@ -244,19 +244,6 @@ func TestValidateCertificate(t *testing.T) {
 				},
 			},
 		},
-		"certificate with keysize less than zero": {
-			cfg: &cmapi.Certificate{
-				Spec: cmapi.CertificateSpec{
-					CommonName: "testcn",
-					SecretName: "abc",
-					IssuerRef:  validIssuerRef,
-					KeySize:    -99,
-				},
-			},
-			errs: []*field.Error{
-				field.Invalid(fldPath.Child("keySize"), -99, "cannot be less than zero"),
-			},
-		},
 		"certificate with rsa keyAlgorithm specified and invalid keysize 1024": {
 			cfg: &cmapi.Certificate{
 				Spec: cmapi.CertificateSpec{