diff --git a/content/docs/cli/controller.md b/content/docs/cli/controller.md
index 36661b86c0b..768ffb05ccd 100644
--- a/content/docs/cli/controller.md
+++ b/content/docs/cli/controller.md
@@ -20,6 +20,7 @@ Flags:
       --acme-http01-solver-resource-limits-memory string    Defines the resource limits Memory size when spawning new ACME HTTP01 challenge solver pods. (default "64Mi")
       --acme-http01-solver-resource-request-cpu string      Defines the resource request CPU size when spawning new ACME HTTP01 challenge solver pods. (default "10m")
       --acme-http01-solver-resource-request-memory string   Defines the resource request Memory size when spawning new ACME HTTP01 challenge solver pods. (default "64Mi")
+      --acme-http01-solver-run-as-non-root                  Defines the ability to run the http01 solver as root for troubleshooting issues (default true)
       --add_dir_header                                      If true, adds the file directory to the header of the log messages
       --alsologtostderr                                     log to standard error as well as files (no effect when -logtostderr=true)
       --auto-certificate-annotations strings                The annotation consumed by the ingress-shim controller to indicate a ingress is requesting a certificate (default [kubernetes.io/tls-acme])
@@ -45,6 +46,7 @@ Flags:
                                                             LiteralCertificateSubject=true|false (ALPHA - default=false)
                                                             ServerSideApply=true|false (ALPHA - default=false)
                                                             StableCertificateRequestName=true|false (ALPHA - default=false)
+                                                            UseCertificateRequestBasicConstraints=true|false (ALPHA - default=false)
                                                             ValidateCAA=true|false (ALPHA - default=false)
   -h, --help                                                help for cert-manager-controller
       --issuer-ambient-credentials                          Whether an issuer may make use of ambient credentials. 'Ambient Credentials' are credentials drawn from the environment, metadata services, or local files which are not explicitly configured in the Issuer API object. When this flag is enabled, the following sources for credentials are also used: AWS - All sources the Go SDK defaults to, notably including any EC2 IAM roles available via instance metadata.
diff --git a/content/docs/cli/webhook.md b/content/docs/cli/webhook.md
index d4d7d35d062..f4d6ef30c33 100644
--- a/content/docs/cli/webhook.md
+++ b/content/docs/cli/webhook.md
@@ -26,6 +26,7 @@ Flags:
                 LiteralCertificateSubject=true|false (ALPHA - default=false)
                 ServerSideApply=true|false (ALPHA - default=false)
                 StableCertificateRequestName=true|false (ALPHA - default=false)
+                UseCertificateRequestBasicConstraints=true|false (ALPHA - default=false)
                 ValidateCAA=true|false (ALPHA - default=false)
       --healthz-port int                             port number to listen on for insecure healthz connections (default 6080)
   -h, --help                                         help for webhook
diff --git a/content/docs/reference/api-docs.md b/content/docs/reference/api-docs.md
index 1eccf291108..35d0f49d6ca 100644
--- a/content/docs/reference/api-docs.md
+++ b/content/docs/reference/api-docs.md
@@ -1,10 +1,10 @@
 ---
 title: API Reference
 description: >-
-  Learn about the cert-manager API which includes Custom Resources such as
-  Certificate, CertificateRequest, Issuer and ClusterIssuer.
+  cert-manager API documentation, including Custom Resources such as
+  Certificate, CertificateRequest, Issuer and ClusterIssuer
 ---
-Learn about the cert-manager API which includes Custom Resources such as Certificate, CertificateRequest, Issuer and ClusterIssuer.
+<p>cert-manager API documentation, including various Custom Resource Definitions</p>
 <p>Packages:</p>
 <ul>
   <li>
@@ -24,7 +24,7 @@ Learn about the cert-manager API which includes Custom Resources such as Certifi
 <div>
   <p>Package v1 is the v1 version of the API.</p>
 </div>
-Resource Types:
+<p>Resource Types:</p>
 <ul>
   <li>
     <a href="#acme.cert-manager.io/v1.Challenge">Challenge</a>
@@ -750,12 +750,12 @@ Resource Types:
       <td>
         <code>parentRefs</code>
         <br />
-        <em>[]sigs.k8s.io/gateway-api/apis/v1alpha2.ParentReference</em>
+        <em>[]sigs.k8s.io/gateway-api/apis/v1beta1.ParentReference</em>
       </td>
       <td>
         <p>
           When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute. cert-manager needs to know which parentRefs should be used when creating the HTTPRoute. Usually, the parentRef references a Gateway. See:
-          <a href="https://gateway-api.sigs.k8s.io/v1alpha2/api-types/httproute/#attaching-to-gateways">https://gateway-api.sigs.k8s.io/v1alpha2/api-types/httproute/#attaching-to-gateways</a>
+          <a href="https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways">https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways</a>
         </p>
       </td>
     </tr>
@@ -1231,6 +1231,17 @@ Resource Types:
         <p>PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let&rsquo;s Encrypt&rsquo;s DST crosssign you would use: &ldquo;DST Root CA X3&rdquo; or &ldquo;ISRG Root X1&rdquo; for the newer Let&rsquo;s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer&rsquo;s CN</p>
       </td>
     </tr>
+    <tr>
+      <td>
+        <code>caBundle</code>
+        <br />
+        <em>[]byte</em>
+      </td>
+      <td>
+        <em>(Optional)</em>
+        <p>Base64-encoded bundle of PEM CAs which can be used to validate the certificate chain presented by the ACME server. Mutually exclusive with SkipTLSVerify; prefer using CABundle to prevent various kinds of security vulnerabilities. If CABundle and SkipTLSVerify are unset, the system certificate bundle inside the container is used to validate the TLS connection.</p>
+      </td>
+    </tr>
     <tr>
       <td>
         <code>skipTLSVerify</code>
@@ -1239,7 +1250,7 @@ Resource Types:
       </td>
       <td>
         <em>(Optional)</em>
-        <p>Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have their TLS certificate validated (i.e. insecure connections will be allowed). Only enable this option in development environments. The cert-manager system installed roots will be used to verify connections to the ACME server if this is false. Defaults to false.</p>
+        <p>INSECURE: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have the TLS certificate chain validated. Mutually exclusive with CABundle; prefer using CABundle to prevent various kinds of security vulnerabilities. Only enable this option in development environments. If CABundle and SkipTLSVerify are unset, the system certificate bundle inside the container is used to validate the TLS connection. Defaults to false.</p>
       </td>
     </tr>
     <tr>
@@ -2443,7 +2454,7 @@ Resource Types:
 <div>
   <p>Package v1 is the v1 version of the API.</p>
 </div>
-Resource Types:
+<p>Resource Types:</p>
 <ul>
   <li>
     <a href="#cert-manager.io/v1.Certificate">Certificate</a>
@@ -4470,7 +4481,7 @@ Resource Types:
         <em>bool</em>
       </td>
       <td>
-        <p> Create enables JKS keystore creation for the Certificate. If true, a file named <code>keystore.jks</code> will be created in the target Secret resource, encrypted using the password stored in <code>passwordSecretRef</code>. The keystore file will only be updated upon re-issuance. A file named <code>truststore.jks</code> will also be created in the target Secret resource, encrypted using the password stored in <code>passwordSecretRef</code> containing the issuing Certificate Authority </p>
+        <p> Create enables JKS keystore creation for the Certificate. If true, a file named <code>keystore.jks</code> will be created in the target Secret resource, encrypted using the password stored in <code>passwordSecretRef</code>. The keystore file will be updated immediately. A file named <code>truststore.jks</code> will also be created in the target Secret resource, encrypted using the password stored in <code>passwordSecretRef</code> containing the issuing Certificate Authority </p>
       </td>
     </tr>
     <tr>
@@ -4668,7 +4679,7 @@ Resource Types:
         <em>bool</em>
       </td>
       <td>
-        <p> Create enables PKCS12 keystore creation for the Certificate. If true, a file named <code>keystore.p12</code> will be created in the target Secret resource, encrypted using the password stored in <code>passwordSecretRef</code>. The keystore file will only be updated upon re-issuance. A file named <code>truststore.p12</code> will also be created in the target Secret resource, encrypted using the password stored in <code>passwordSecretRef</code> containing the issuing Certificate Authority </p>
+        <p> Create enables PKCS12 keystore creation for the Certificate. If true, a file named <code>keystore.p12</code> will be created in the target Secret resource, encrypted using the password stored in <code>passwordSecretRef</code>. The keystore file will be updated immediately. A file named <code>truststore.p12</code> will also be created in the target Secret resource, encrypted using the password stored in <code>passwordSecretRef</code> containing the issuing Certificate Authority </p>
       </td>
     </tr>
     <tr>
@@ -4950,7 +4961,7 @@ Resource Types:
       </td>
       <td>
         <em>(Optional)</em>
-        <p>PEM-encoded CA bundle (base64-encoded) used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. Mutually exclusive with CABundleSecretRef. If neither CABundle nor CABundleSecretRef are defined, the cert-manager controller system root certificates are used to validate the TLS connection.</p>
+        <p>Base64-encoded bundle of PEM CAs which will be used to validate the certificate chain presented by Vault. Only used if using HTTPS to connect to Vault and ignored for HTTP connections. Mutually exclusive with CABundleSecretRef. If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in the cert-manager controller container is used to validate the TLS connection.</p>
       </td>
     </tr>
     <tr>
@@ -4963,7 +4974,7 @@ Resource Types:
       </td>
       <td>
         <em>(Optional)</em>
-        <p>CABundleSecretRef is a reference to a Secret which contains the CABundle which will be used when connecting to Vault when using HTTPS. Mutually exclusive with CABundle. If neither CABundleSecretRef nor CABundle are defined, the cert-manager controller system root certificates are used to validate the TLS connection. If no key for the Secret is specified, cert-manager will default to &lsquo;ca.crt&rsquo;.</p>
+        <p>Reference to a Secret containing a bundle of PEM-encoded CAs to use when verifying the certificate chain presented by Vault when using HTTPS. Mutually exclusive with CABundle. If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in the cert-manager controller container is used to validate the TLS connection. If no key for the Secret is specified, cert-manager will default to &lsquo;ca.crt&rsquo;.</p>
       </td>
     </tr>
   </tbody>
@@ -5148,7 +5159,7 @@ Resource Types:
       </td>
       <td>
         <em>(Optional)</em>
-        <p>CABundle is a PEM encoded TLS certificate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates.</p>
+        <p>Base64-encoded bundle of PEM CAs which will be used to validate the certificate chain presented by the TPP server. Only used if using HTTPS; ignored for HTTP. If undefined, the certificate bundle in the cert-manager controller container is used to validate the chain.</p>
       </td>
     </tr>
   </tbody>
@@ -5261,7 +5272,7 @@ Resource Types:
 <div>
   <p>Package v1 contains meta types for cert-manager APIs</p>
 </div>
-Resource Types:
+<p>Resource Types:</p>
 <ul></ul>
 <h3 id="meta.cert-manager.io/v1.ConditionStatus"> ConditionStatus (<code>string</code> alias) </h3>
 <p> (<em>Appears on:</em> <a href="#cert-manager.io/v1.CertificateCondition">CertificateCondition</a>, <a href="#cert-manager.io/v1.CertificateRequestCondition">CertificateRequestCondition</a>, <a href="#cert-manager.io/v1.IssuerCondition">IssuerCondition</a>) </p>
@@ -5421,7 +5432,7 @@ Resource Types:
 <div>
   <p>Package v1alpha1 is the v1alpha1 version of the webhook config API.</p>
 </div>
-Resource Types:
+<p>Resource Types:</p>
 <ul></ul>
 <h3 id="webhook.config.cert-manager.io/v1alpha1.DynamicServingConfig">DynamicServingConfig</h3>
 <p> (<em>Appears on:</em> <a href="#webhook.config.cert-manager.io/v1alpha1.TLSConfig">TLSConfig</a>) </p>
@@ -5659,5 +5670,5 @@ Resource Types:
 </table>
 <hr />
 <p>
-  <em> Generated with <code>gen-crd-api-reference-docs</code> on git commit <code>da3265115</code>. </em>
+  <em> Generated with <code>gen-crd-api-reference-docs</code> on git commit <code>7ebb5f515</code>. </em>
 </p>
diff --git a/content/v1.10-docs/reference/api-docs.md b/content/v1.10-docs/reference/api-docs.md
index 1eccf291108..534fdd7bc25 100644
--- a/content/v1.10-docs/reference/api-docs.md
+++ b/content/v1.10-docs/reference/api-docs.md
@@ -1,10 +1,10 @@
 ---
 title: API Reference
 description: >-
-  Learn about the cert-manager API which includes Custom Resources such as
-  Certificate, CertificateRequest, Issuer and ClusterIssuer.
+  cert-manager API documentation, including Custom Resources such as
+  Certificate, CertificateRequest, Issuer and ClusterIssuer
 ---
-Learn about the cert-manager API which includes Custom Resources such as Certificate, CertificateRequest, Issuer and ClusterIssuer.
+<p>cert-manager API documentation, including various Custom Resource Definitions</p>
 <p>Packages:</p>
 <ul>
   <li>
@@ -24,7 +24,7 @@ Learn about the cert-manager API which includes Custom Resources such as Certifi
 <div>
   <p>Package v1 is the v1 version of the API.</p>
 </div>
-Resource Types:
+<p>Resource Types:</p>
 <ul>
   <li>
     <a href="#acme.cert-manager.io/v1.Challenge">Challenge</a>
@@ -2443,7 +2443,7 @@ Resource Types:
 <div>
   <p>Package v1 is the v1 version of the API.</p>
 </div>
-Resource Types:
+<p>Resource Types:</p>
 <ul>
   <li>
     <a href="#cert-manager.io/v1.Certificate">Certificate</a>
@@ -5261,7 +5261,7 @@ Resource Types:
 <div>
   <p>Package v1 contains meta types for cert-manager APIs</p>
 </div>
-Resource Types:
+<p>Resource Types:</p>
 <ul></ul>
 <h3 id="meta.cert-manager.io/v1.ConditionStatus"> ConditionStatus (<code>string</code> alias) </h3>
 <p> (<em>Appears on:</em> <a href="#cert-manager.io/v1.CertificateCondition">CertificateCondition</a>, <a href="#cert-manager.io/v1.CertificateRequestCondition">CertificateRequestCondition</a>, <a href="#cert-manager.io/v1.IssuerCondition">IssuerCondition</a>) </p>
@@ -5421,7 +5421,7 @@ Resource Types:
 <div>
   <p>Package v1alpha1 is the v1alpha1 version of the webhook config API.</p>
 </div>
-Resource Types:
+<p>Resource Types:</p>
 <ul></ul>
 <h3 id="webhook.config.cert-manager.io/v1alpha1.DynamicServingConfig">DynamicServingConfig</h3>
 <p> (<em>Appears on:</em> <a href="#webhook.config.cert-manager.io/v1alpha1.TLSConfig">TLSConfig</a>) </p>
@@ -5659,5 +5659,5 @@ Resource Types:
 </table>
 <hr />
 <p>
-  <em> Generated with <code>gen-crd-api-reference-docs</code> on git commit <code>da3265115</code>. </em>
+  <em> Generated with <code>gen-crd-api-reference-docs</code> on git commit <code>83791ee45</code>. </em>
 </p>
diff --git a/content/v1.11-docs/cli/controller.md b/content/v1.11-docs/cli/controller.md
index 36661b86c0b..768ffb05ccd 100644
--- a/content/v1.11-docs/cli/controller.md
+++ b/content/v1.11-docs/cli/controller.md
@@ -20,6 +20,7 @@ Flags:
       --acme-http01-solver-resource-limits-memory string    Defines the resource limits Memory size when spawning new ACME HTTP01 challenge solver pods. (default "64Mi")
       --acme-http01-solver-resource-request-cpu string      Defines the resource request CPU size when spawning new ACME HTTP01 challenge solver pods. (default "10m")
       --acme-http01-solver-resource-request-memory string   Defines the resource request Memory size when spawning new ACME HTTP01 challenge solver pods. (default "64Mi")
+      --acme-http01-solver-run-as-non-root                  Defines the ability to run the http01 solver as root for troubleshooting issues (default true)
       --add_dir_header                                      If true, adds the file directory to the header of the log messages
       --alsologtostderr                                     log to standard error as well as files (no effect when -logtostderr=true)
       --auto-certificate-annotations strings                The annotation consumed by the ingress-shim controller to indicate a ingress is requesting a certificate (default [kubernetes.io/tls-acme])
@@ -45,6 +46,7 @@ Flags:
                                                             LiteralCertificateSubject=true|false (ALPHA - default=false)
                                                             ServerSideApply=true|false (ALPHA - default=false)
                                                             StableCertificateRequestName=true|false (ALPHA - default=false)
+                                                            UseCertificateRequestBasicConstraints=true|false (ALPHA - default=false)
                                                             ValidateCAA=true|false (ALPHA - default=false)
   -h, --help                                                help for cert-manager-controller
       --issuer-ambient-credentials                          Whether an issuer may make use of ambient credentials. 'Ambient Credentials' are credentials drawn from the environment, metadata services, or local files which are not explicitly configured in the Issuer API object. When this flag is enabled, the following sources for credentials are also used: AWS - All sources the Go SDK defaults to, notably including any EC2 IAM roles available via instance metadata.
diff --git a/content/v1.11-docs/cli/webhook.md b/content/v1.11-docs/cli/webhook.md
index d4d7d35d062..f4d6ef30c33 100644
--- a/content/v1.11-docs/cli/webhook.md
+++ b/content/v1.11-docs/cli/webhook.md
@@ -26,6 +26,7 @@ Flags:
                 LiteralCertificateSubject=true|false (ALPHA - default=false)
                 ServerSideApply=true|false (ALPHA - default=false)
                 StableCertificateRequestName=true|false (ALPHA - default=false)
+                UseCertificateRequestBasicConstraints=true|false (ALPHA - default=false)
                 ValidateCAA=true|false (ALPHA - default=false)
       --healthz-port int                             port number to listen on for insecure healthz connections (default 6080)
   -h, --help                                         help for webhook
diff --git a/content/v1.11-docs/reference/api-docs.md b/content/v1.11-docs/reference/api-docs.md
index 1eccf291108..35d0f49d6ca 100644
--- a/content/v1.11-docs/reference/api-docs.md
+++ b/content/v1.11-docs/reference/api-docs.md
@@ -1,10 +1,10 @@
 ---
 title: API Reference
 description: >-
-  Learn about the cert-manager API which includes Custom Resources such as
-  Certificate, CertificateRequest, Issuer and ClusterIssuer.
+  cert-manager API documentation, including Custom Resources such as
+  Certificate, CertificateRequest, Issuer and ClusterIssuer
 ---
-Learn about the cert-manager API which includes Custom Resources such as Certificate, CertificateRequest, Issuer and ClusterIssuer.
+<p>cert-manager API documentation, including various Custom Resource Definitions</p>
 <p>Packages:</p>
 <ul>
   <li>
@@ -24,7 +24,7 @@ Learn about the cert-manager API which includes Custom Resources such as Certifi
 <div>
   <p>Package v1 is the v1 version of the API.</p>
 </div>
-Resource Types:
+<p>Resource Types:</p>
 <ul>
   <li>
     <a href="#acme.cert-manager.io/v1.Challenge">Challenge</a>
@@ -750,12 +750,12 @@ Resource Types:
       <td>
         <code>parentRefs</code>
         <br />
-        <em>[]sigs.k8s.io/gateway-api/apis/v1alpha2.ParentReference</em>
+        <em>[]sigs.k8s.io/gateway-api/apis/v1beta1.ParentReference</em>
       </td>
       <td>
         <p>
           When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute. cert-manager needs to know which parentRefs should be used when creating the HTTPRoute. Usually, the parentRef references a Gateway. See:
-          <a href="https://gateway-api.sigs.k8s.io/v1alpha2/api-types/httproute/#attaching-to-gateways">https://gateway-api.sigs.k8s.io/v1alpha2/api-types/httproute/#attaching-to-gateways</a>
+          <a href="https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways">https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways</a>
         </p>
       </td>
     </tr>
@@ -1231,6 +1231,17 @@ Resource Types:
         <p>PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let&rsquo;s Encrypt&rsquo;s DST crosssign you would use: &ldquo;DST Root CA X3&rdquo; or &ldquo;ISRG Root X1&rdquo; for the newer Let&rsquo;s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer&rsquo;s CN</p>
       </td>
     </tr>
+    <tr>
+      <td>
+        <code>caBundle</code>
+        <br />
+        <em>[]byte</em>
+      </td>
+      <td>
+        <em>(Optional)</em>
+        <p>Base64-encoded bundle of PEM CAs which can be used to validate the certificate chain presented by the ACME server. Mutually exclusive with SkipTLSVerify; prefer using CABundle to prevent various kinds of security vulnerabilities. If CABundle and SkipTLSVerify are unset, the system certificate bundle inside the container is used to validate the TLS connection.</p>
+      </td>
+    </tr>
     <tr>
       <td>
         <code>skipTLSVerify</code>
@@ -1239,7 +1250,7 @@ Resource Types:
       </td>
       <td>
         <em>(Optional)</em>
-        <p>Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have their TLS certificate validated (i.e. insecure connections will be allowed). Only enable this option in development environments. The cert-manager system installed roots will be used to verify connections to the ACME server if this is false. Defaults to false.</p>
+        <p>INSECURE: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have the TLS certificate chain validated. Mutually exclusive with CABundle; prefer using CABundle to prevent various kinds of security vulnerabilities. Only enable this option in development environments. If CABundle and SkipTLSVerify are unset, the system certificate bundle inside the container is used to validate the TLS connection. Defaults to false.</p>
       </td>
     </tr>
     <tr>
@@ -2443,7 +2454,7 @@ Resource Types:
 <div>
   <p>Package v1 is the v1 version of the API.</p>
 </div>
-Resource Types:
+<p>Resource Types:</p>
 <ul>
   <li>
     <a href="#cert-manager.io/v1.Certificate">Certificate</a>
@@ -4470,7 +4481,7 @@ Resource Types:
         <em>bool</em>
       </td>
       <td>
-        <p> Create enables JKS keystore creation for the Certificate. If true, a file named <code>keystore.jks</code> will be created in the target Secret resource, encrypted using the password stored in <code>passwordSecretRef</code>. The keystore file will only be updated upon re-issuance. A file named <code>truststore.jks</code> will also be created in the target Secret resource, encrypted using the password stored in <code>passwordSecretRef</code> containing the issuing Certificate Authority </p>
+        <p> Create enables JKS keystore creation for the Certificate. If true, a file named <code>keystore.jks</code> will be created in the target Secret resource, encrypted using the password stored in <code>passwordSecretRef</code>. The keystore file will be updated immediately. A file named <code>truststore.jks</code> will also be created in the target Secret resource, encrypted using the password stored in <code>passwordSecretRef</code> containing the issuing Certificate Authority </p>
       </td>
     </tr>
     <tr>
@@ -4668,7 +4679,7 @@ Resource Types:
         <em>bool</em>
       </td>
       <td>
-        <p> Create enables PKCS12 keystore creation for the Certificate. If true, a file named <code>keystore.p12</code> will be created in the target Secret resource, encrypted using the password stored in <code>passwordSecretRef</code>. The keystore file will only be updated upon re-issuance. A file named <code>truststore.p12</code> will also be created in the target Secret resource, encrypted using the password stored in <code>passwordSecretRef</code> containing the issuing Certificate Authority </p>
+        <p> Create enables PKCS12 keystore creation for the Certificate. If true, a file named <code>keystore.p12</code> will be created in the target Secret resource, encrypted using the password stored in <code>passwordSecretRef</code>. The keystore file will be updated immediately. A file named <code>truststore.p12</code> will also be created in the target Secret resource, encrypted using the password stored in <code>passwordSecretRef</code> containing the issuing Certificate Authority </p>
       </td>
     </tr>
     <tr>
@@ -4950,7 +4961,7 @@ Resource Types:
       </td>
       <td>
         <em>(Optional)</em>
-        <p>PEM-encoded CA bundle (base64-encoded) used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. Mutually exclusive with CABundleSecretRef. If neither CABundle nor CABundleSecretRef are defined, the cert-manager controller system root certificates are used to validate the TLS connection.</p>
+        <p>Base64-encoded bundle of PEM CAs which will be used to validate the certificate chain presented by Vault. Only used if using HTTPS to connect to Vault and ignored for HTTP connections. Mutually exclusive with CABundleSecretRef. If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in the cert-manager controller container is used to validate the TLS connection.</p>
       </td>
     </tr>
     <tr>
@@ -4963,7 +4974,7 @@ Resource Types:
       </td>
       <td>
         <em>(Optional)</em>
-        <p>CABundleSecretRef is a reference to a Secret which contains the CABundle which will be used when connecting to Vault when using HTTPS. Mutually exclusive with CABundle. If neither CABundleSecretRef nor CABundle are defined, the cert-manager controller system root certificates are used to validate the TLS connection. If no key for the Secret is specified, cert-manager will default to &lsquo;ca.crt&rsquo;.</p>
+        <p>Reference to a Secret containing a bundle of PEM-encoded CAs to use when verifying the certificate chain presented by Vault when using HTTPS. Mutually exclusive with CABundle. If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in the cert-manager controller container is used to validate the TLS connection. If no key for the Secret is specified, cert-manager will default to &lsquo;ca.crt&rsquo;.</p>
       </td>
     </tr>
   </tbody>
@@ -5148,7 +5159,7 @@ Resource Types:
       </td>
       <td>
         <em>(Optional)</em>
-        <p>CABundle is a PEM encoded TLS certificate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates.</p>
+        <p>Base64-encoded bundle of PEM CAs which will be used to validate the certificate chain presented by the TPP server. Only used if using HTTPS; ignored for HTTP. If undefined, the certificate bundle in the cert-manager controller container is used to validate the chain.</p>
       </td>
     </tr>
   </tbody>
@@ -5261,7 +5272,7 @@ Resource Types:
 <div>
   <p>Package v1 contains meta types for cert-manager APIs</p>
 </div>
-Resource Types:
+<p>Resource Types:</p>
 <ul></ul>
 <h3 id="meta.cert-manager.io/v1.ConditionStatus"> ConditionStatus (<code>string</code> alias) </h3>
 <p> (<em>Appears on:</em> <a href="#cert-manager.io/v1.CertificateCondition">CertificateCondition</a>, <a href="#cert-manager.io/v1.CertificateRequestCondition">CertificateRequestCondition</a>, <a href="#cert-manager.io/v1.IssuerCondition">IssuerCondition</a>) </p>
@@ -5421,7 +5432,7 @@ Resource Types:
 <div>
   <p>Package v1alpha1 is the v1alpha1 version of the webhook config API.</p>
 </div>
-Resource Types:
+<p>Resource Types:</p>
 <ul></ul>
 <h3 id="webhook.config.cert-manager.io/v1alpha1.DynamicServingConfig">DynamicServingConfig</h3>
 <p> (<em>Appears on:</em> <a href="#webhook.config.cert-manager.io/v1alpha1.TLSConfig">TLSConfig</a>) </p>
@@ -5659,5 +5670,5 @@ Resource Types:
 </table>
 <hr />
 <p>
-  <em> Generated with <code>gen-crd-api-reference-docs</code> on git commit <code>da3265115</code>. </em>
+  <em> Generated with <code>gen-crd-api-reference-docs</code> on git commit <code>7ebb5f515</code>. </em>
 </p>
diff --git a/content/v1.8-docs/reference/api-docs.md b/content/v1.8-docs/reference/api-docs.md
index 7c073c3cb68..d6c0a4e8e61 100644
--- a/content/v1.8-docs/reference/api-docs.md
+++ b/content/v1.8-docs/reference/api-docs.md
@@ -1,7 +1,10 @@
 ---
-title: API reference docs
-description: cert-manager API reference documentation
+title: API Reference
+description: >-
+  cert-manager API documentation, including Custom Resources such as
+  Certificate, CertificateRequest, Issuer and ClusterIssuer
 ---
+<p>cert-manager API documentation, including various Custom Resource Definitions</p>
 <p>Packages:</p>
 <ul>
   <li>
@@ -21,7 +24,7 @@ description: cert-manager API reference documentation
 <div>
   <p>Package v1 is the v1 version of the API.</p>
 </div>
-Resource Types:
+<p>Resource Types:</p>
 <ul>
   <li>
     <a href="#acme.cert-manager.io/v1.Challenge">Challenge</a>
@@ -2430,7 +2433,7 @@ Resource Types:
 <div>
   <p>Package v1 is the v1 version of the API.</p>
 </div>
-Resource Types:
+<p>Resource Types:</p>
 <ul>
   <li>
     <a href="#cert-manager.io/v1.Certificate">Certificate</a>
@@ -5212,7 +5215,7 @@ Resource Types:
 <div>
   <p>Package v1 contains meta types for cert-manager APIs</p>
 </div>
-Resource Types:
+<p>Resource Types:</p>
 <ul></ul>
 <h3 id="meta.cert-manager.io/v1.ConditionStatus"> ConditionStatus (<code>string</code> alias) </h3>
 <p> (<em>Appears on:</em> <a href="#cert-manager.io/v1.CertificateCondition">CertificateCondition</a>, <a href="#cert-manager.io/v1.CertificateRequestCondition">CertificateRequestCondition</a>, <a href="#cert-manager.io/v1.IssuerCondition">IssuerCondition</a>) </p>
@@ -5372,7 +5375,7 @@ Resource Types:
 <div>
   <p>Package v1alpha1 is the v1alpha1 version of the webhook config API.</p>
 </div>
-Resource Types:
+<p>Resource Types:</p>
 <ul></ul>
 <h3 id="webhook.config.cert-manager.io/v1alpha1.DynamicServingConfig">DynamicServingConfig</h3>
 <p> (<em>Appears on:</em> <a href="#webhook.config.cert-manager.io/v1alpha1.TLSConfig">TLSConfig</a>) </p>
@@ -5610,5 +5613,5 @@ Resource Types:
 </table>
 <hr />
 <p>
-  <em> Generated with <code>gen-crd-api-reference-docs</code> on git commit <code>57a216e51</code>. </em>
+  <em> Generated with <code>gen-crd-api-reference-docs</code> on git commit <code>42c5df90f</code>. </em>
 </p>
diff --git a/content/v1.9-docs/reference/api-docs.md b/content/v1.9-docs/reference/api-docs.md
index 21d4870d22a..9464c7ea28b 100644
--- a/content/v1.9-docs/reference/api-docs.md
+++ b/content/v1.9-docs/reference/api-docs.md
@@ -1,10 +1,10 @@
 ---
 title: API Reference
 description: >-
-  Learn about the cert-manager API which includes Custom Resources such as
-  Certificate, CertificateRequest, Issuer and ClusterIssuer.
+  cert-manager API documentation, including Custom Resources such as
+  Certificate, CertificateRequest, Issuer and ClusterIssuer
 ---
-Learn about the cert-manager API which includes Custom Resources such as Certificate, CertificateRequest, Issuer and ClusterIssuer.
+<p>cert-manager API documentation, including various Custom Resource Definitions</p>
 <p>Packages:</p>
 <ul>
   <li>
@@ -24,7 +24,7 @@ Learn about the cert-manager API which includes Custom Resources such as Certifi
 <div>
   <p>Package v1 is the v1 version of the API.</p>
 </div>
-Resource Types:
+<p>Resource Types:</p>
 <ul>
   <li>
     <a href="#acme.cert-manager.io/v1.Challenge">Challenge</a>
@@ -2443,7 +2443,7 @@ Resource Types:
 <div>
   <p>Package v1 is the v1 version of the API.</p>
 </div>
-Resource Types:
+<p>Resource Types:</p>
 <ul>
   <li>
     <a href="#cert-manager.io/v1.Certificate">Certificate</a>
@@ -5247,7 +5247,7 @@ Resource Types:
 <div>
   <p>Package v1 contains meta types for cert-manager APIs</p>
 </div>
-Resource Types:
+<p>Resource Types:</p>
 <ul></ul>
 <h3 id="meta.cert-manager.io/v1.ConditionStatus"> ConditionStatus (<code>string</code> alias) </h3>
 <p> (<em>Appears on:</em> <a href="#cert-manager.io/v1.CertificateCondition">CertificateCondition</a>, <a href="#cert-manager.io/v1.CertificateRequestCondition">CertificateRequestCondition</a>, <a href="#cert-manager.io/v1.IssuerCondition">IssuerCondition</a>) </p>
@@ -5407,7 +5407,7 @@ Resource Types:
 <div>
   <p>Package v1alpha1 is the v1alpha1 version of the webhook config API.</p>
 </div>
-Resource Types:
+<p>Resource Types:</p>
 <ul></ul>
 <h3 id="webhook.config.cert-manager.io/v1alpha1.DynamicServingConfig">DynamicServingConfig</h3>
 <p> (<em>Appears on:</em> <a href="#webhook.config.cert-manager.io/v1alpha1.TLSConfig">TLSConfig</a>) </p>
@@ -5645,5 +5645,5 @@ Resource Types:
 </table>
 <hr />
 <p>
-  <em> Generated with <code>gen-crd-api-reference-docs</code> on git commit <code>4486c01f7</code>. </em>
+  <em> Generated with <code>gen-crd-api-reference-docs</code> on git commit <code>4dd6cee00</code>. </em>
 </p>
diff --git a/scripts/gendocs/postprocess/api-doc-postprocess.js b/scripts/gendocs/postprocess/api-doc-postprocess.js
index 7a75416e288..af6c37cccaf 100755
--- a/scripts/gendocs/postprocess/api-doc-postprocess.js
+++ b/scripts/gendocs/postprocess/api-doc-postprocess.js
@@ -2,12 +2,16 @@
 
 import { readFileSync, writeFileSync } from 'fs'
 import prettier from 'prettier'
+
+// matter is used to split front-matter from the main doc content
 import matter from 'gray-matter'
 
 const apiDocsFile = readFileSync(0, 'utf8')
 
 const { content, data } = matter(apiDocsFile)
+
 let result = content
+
 result = prettier.format(`<div>${result}</div>`, {
   parser: 'babel',
   htmlWhitespaceSensitivity: 'strict',
diff --git a/scripts/gendocs/templates/members.tpl b/scripts/gendocs/templates/members.tpl
index a529c671647..0fd7bf7c3b8 100644
--- a/scripts/gendocs/templates/members.tpl
+++ b/scripts/gendocs/templates/members.tpl
@@ -4,7 +4,8 @@
 {{ if not (hiddenMember .)}}
 <tr>
     <td>
-        <code>{{ fieldName . }}</code><br/>
+        <code>{{ fieldName . }}</code>
+        <br/>
         <em>
             {{ if linkForType .Type }}
                 <a href="{{ linkForType .Type}}">
diff --git a/scripts/gendocs/templates/pkg.tpl b/scripts/gendocs/templates/pkg.tpl
index a16923a403f..c09ebe88d76 100644
--- a/scripts/gendocs/templates/pkg.tpl
+++ b/scripts/gendocs/templates/pkg.tpl
@@ -1,10 +1,10 @@
 {{ define "packages" }}
 ---
 title: "API Reference"
-description: "Learn about the cert-manager API which includes Custom Resources such as Certificate, CertificateRequest, Issuer and ClusterIssuer."
+description: "cert-manager API documentation, including Custom Resources such as Certificate, CertificateRequest, Issuer and ClusterIssuer"
 ---
 
-Learn about the cert-manager API which includes Custom Resources such as Certificate, CertificateRequest, Issuer and ClusterIssuer.
+<p>cert-manager API documentation, including various Custom Resource Definitions</p>
 
 {{ with .packages}}
 <p>Packages:</p>
@@ -30,7 +30,8 @@ Learn about the cert-manager API which includes Custom Resources such as Certifi
         {{ end }}
     {{ end }}
 
-    Resource Types:
+    <p>Resource Types:</p>
+
     <ul>
     {{- range (visibleTypes (sortedTypes .Types)) -}}
         {{ if isExportedType . -}}
diff --git a/scripts/gendocs/templates/type.tpl b/scripts/gendocs/templates/type.tpl
index 8f0d66b8bab..aba5b201420 100644
--- a/scripts/gendocs/templates/type.tpl
+++ b/scripts/gendocs/templates/type.tpl
@@ -57,8 +57,10 @@
         {{ if isExportedType . }}
         <tr>
             <td>
-                <code>apiVersion</code><br/>
-                string</td>
+                <code>apiVersion</code>
+                <br/>
+                string
+            </td>
             <td>
                 <code>
                     {{apiGroup .}}
@@ -67,10 +69,13 @@
         </tr>
         <tr>
             <td>
-                <code>kind</code><br/>
+                <code>kind</code>
+                <br/>
                 string
             </td>
-            <td><code>{{.Name.Name}}</code></td>
+            <td>
+                <code>{{.Name.Name}}</code>
+            </td>
         </tr>
         {{ end }}
         {{ template "members" .}}