diff --git a/pkg/pki/certmanagerpki/certmanager_pki.go b/pkg/pki/certmanagerpki/certmanager_pki.go
index e37090d72..53f30431b 100644
--- a/pkg/pki/certmanagerpki/certmanager_pki.go
+++ b/pkg/pki/certmanagerpki/certmanager_pki.go
@@ -110,14 +110,14 @@ func (c *certManager) kafkapki(ctx context.Context, extListenerStatuses map[stri
 	sslConfig := c.cluster.Spec.ListenersConfig.SSLSecrets
 	if sslConfig.Create {
 		if sslConfig.IssuerRef == nil {
-			return fullPKI(c.cluster, extListenerStatuses), nil
+			return generatedCAForPKICertManager(c.cluster, extListenerStatuses), nil
 		}
-		return userProvidedIssuerPKI(c.cluster, extListenerStatuses), nil
+		return userProvidedIssuerforPKICertManager(c.cluster, extListenerStatuses), nil
 	}
-	return userProvidedPKI(ctx, c.client, c.cluster, extListenerStatuses)
+	return userProvidedCAforPKICertManager(ctx, c.client, c.cluster, extListenerStatuses)
 }
 
-func userProvidedIssuerPKI(cluster *v1beta1.KafkaCluster, extListenerStatuses map[string]v1beta1.ListenerStatusList) []runtime.Object {
+func userProvidedIssuerforPKICertManager(cluster *v1beta1.KafkaCluster, extListenerStatuses map[string]v1beta1.ListenerStatusList) []runtime.Object {
 	// No need to generate self-signed certs and issuers because the issuer is provided by user
 	return []runtime.Object{
 		// Broker "user"
@@ -127,7 +127,7 @@ func userProvidedIssuerPKI(cluster *v1beta1.KafkaCluster, extListenerStatuses ma
 	}
 }
 
-func fullPKI(cluster *v1beta1.KafkaCluster, extListenerStatuses map[string]v1beta1.ListenerStatusList) []runtime.Object {
+func generatedCAForPKICertManager(cluster *v1beta1.KafkaCluster, extListenerStatuses map[string]v1beta1.ListenerStatusList) []runtime.Object {
 	return []runtime.Object{
 		// A self-signer for the CA Certificate
 		selfSignerForCluster(cluster),
@@ -143,7 +143,7 @@ func fullPKI(cluster *v1beta1.KafkaCluster, extListenerStatuses map[string]v1bet
 	}
 }
 
-func userProvidedPKI(
+func userProvidedCAforPKICertManager(
 	ctx context.Context, client client.Client,
 	cluster *v1beta1.KafkaCluster, extListenerStatuses map[string]v1beta1.ListenerStatusList) ([]runtime.Object, error) {
 	// If we aren't creating the secrets we need a cluster issuer made from the provided secret
diff --git a/pkg/pki/certmanagerpki/certmanager_pki_test.go b/pkg/pki/certmanagerpki/certmanager_pki_test.go
index e5d5fefb0..edabd656d 100644
--- a/pkg/pki/certmanagerpki/certmanager_pki_test.go
+++ b/pkg/pki/certmanagerpki/certmanager_pki_test.go
@@ -22,6 +22,8 @@ import (
 
 	corev1 "k8s.io/api/core/v1"
 
+	cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
+
 	"github.com/banzaicloud/koperator/api/v1alpha1"
 	"github.com/banzaicloud/koperator/api/v1beta1"
 	"github.com/banzaicloud/koperator/pkg/errorfactory"
@@ -128,6 +130,21 @@ func TestReconcilePKI(t *testing.T) {
 		t.Error("Expected successful reconcile, got:", err)
 	}
 
+	// Testing IssuerRef case
+	cluster.Spec.ListenersConfig.SSLSecrets.IssuerRef = &cmmeta.ObjectReference{
+		Name:  "test",
+		Kind:  "testKind",
+		Group: "testGroup",
+	}
+	manager, err = newMock(cluster)
+	if err != nil {
+		t.Error("Expected no error during initialization, got:", err)
+	}
+
+	if err := manager.ReconcilePKI(ctx, make(map[string]v1beta1.ListenerStatusList)); err != nil {
+		t.Error("Expected successful reconcile, got:", err)
+	}
+
 	cluster.Spec.ListenersConfig.SSLSecrets.Create = false
 	manager, err = newMock(cluster)
 	if err != nil {
diff --git a/pkg/pki/certmanagerpki/certmanager_user.go b/pkg/pki/certmanagerpki/certmanager_user.go
index a9615bf5c..e6450b5bc 100644
--- a/pkg/pki/certmanagerpki/certmanager_user.go
+++ b/pkg/pki/certmanagerpki/certmanager_user.go
@@ -182,7 +182,7 @@ func (c *certManager) clusterCertificateForUser(
 	return cert
 }
 
-// getCA returns the CA name/kind for the KafkaCluster
+// getCA returns the CA name/kind/group for the KafkaCluster
 func (c *certManager) getCA(user *v1alpha1.KafkaUser) (caName, caKind, caGroup string) {
 	var issuerRef *certmeta.ObjectReference
 	if user.Spec.PKIBackendSpec != nil {
diff --git a/pkg/pki/certmanagerpki/certmanager_user_test.go b/pkg/pki/certmanagerpki/certmanager_user_test.go
index 0c75ba5d7..2742e480b 100644
--- a/pkg/pki/certmanagerpki/certmanager_user_test.go
+++ b/pkg/pki/certmanagerpki/certmanager_user_test.go
@@ -22,6 +22,8 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/client-go/kubernetes/scheme"
 
+	cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
+
 	"github.com/banzaicloud/koperator/api/v1alpha1"
 	"github.com/banzaicloud/koperator/pkg/errorfactory"
 	certutil "github.com/banzaicloud/koperator/pkg/util/cert"
@@ -87,6 +89,20 @@ func TestReconcileUserCertificate(t *testing.T) {
 		t.Error("Expected no error, got:", err)
 	}
 
+	// Test IssuerRef case
+	user := newMockUser()
+	user.Spec.PKIBackendSpec = &v1alpha1.PKIBackendSpec{
+		IssuerRef: &cmmeta.ObjectReference{
+			Name:  "test",
+			Kind:  "testKind",
+			Group: "testGroup",
+		},
+	}
+
+	if _, err := manager.ReconcileUserCertificate(ctx, user, scheme.Scheme, clusterDomain); err != nil {
+		t.Error("Expected no error, got:", err)
+	}
+
 	// Test error conditions
 	manager, err = newMock(newMockCluster())
 	if err != nil {