diff --git a/pkg/controller/certificatemanager/certificatemanager_test.go b/pkg/controller/certificatemanager/certificatemanager_test.go
index 34e3a94539..15f4b8c1c1 100644
--- a/pkg/controller/certificatemanager/certificatemanager_test.go
+++ b/pkg/controller/certificatemanager/certificatemanager_test.go
@@ -502,13 +502,24 @@ var _ = Describe("Test CertificateManagement suite", func() {
 			By("verifying it does replace a secret when dns names are missing")
 			keyPair, err := certificateManager.GetOrCreateKeyPair(cli, appSecretName, appNs, appDNSNames)
 			Expect(err).NotTo(HaveOccurred())
+			Expect(cli.Create(ctx, keyPair.Secret(appNs))).NotTo(HaveOccurred())
+			Expect(err).NotTo(HaveOccurred())
 			test.VerifyCertSANs(keyPair.GetCertificatePEM(), appDNSNames...)
 			keyPair, err = certificateManager.GetOrCreateKeyPair(cli, appSecretName, appNs, missingDNSNames)
 			Expect(err).NotTo(HaveOccurred())
 			test.VerifyCertSANs(keyPair.GetCertificatePEM(), missingDNSNames...)
 
+			By("verifying it does replace a legacy secret when dns names are missing")
+			Expect(cli.Create(ctx, legacySecret)).NotTo(HaveOccurred())
+			keyPair, err = certificateManager.GetOrCreateKeyPair(cli, legacySecretName, appNs, appDNSNames)
+			Expect(err).NotTo(HaveOccurred())
+			test.VerifyCertSANs(keyPair.GetCertificatePEM(), appDNSNames...)
+			keyPair, err = certificateManager.GetOrCreateKeyPair(cli, legacySecretName, appNs, missingDNSNames)
+			Expect(err).NotTo(HaveOccurred())
+			test.VerifyCertSANs(keyPair.GetCertificatePEM(), missingDNSNames...)
+
 			By("verifying it does not replace a BYO secret, nor throw an error")
-			Expect(cli.Create(ctx, byoSecret)).NotTo(HaveOccurred())
+			Expect(cli.Update(ctx, byoSecret)).NotTo(HaveOccurred())
 			keyPair, err = certificateManager.GetOrCreateKeyPair(cli, appSecretName, appNs, missingDNSNames)
 			Expect(err).NotTo(HaveOccurred())
 			Expect(keyPair.UseCertificateManagement()).To(BeFalse())