Confusing messaging when certificate secret name already exist

Describe the bug: When doing a describe on a certificate it says unable to decode PEM block

The certificate request has failed to complete and will be retried: Failed to decode returned certificate: error decoding certificate PEM block

Expected behaviour:

A message about how issuer-ref and secretName can't be the same secret. Or something more explicit about what is breaking.

Steps to reproduce the bug:

 helm repo add jetstack https://charts.jetstack.io --force-update
 helm repo update
 kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.14.5/cert-manager.crds.yaml
 helm install \
   cert-manager jetstack/cert-manager \
   --namespace cert-manager \
   --create-namespace \
   --version v1.14.5
 kubectl create namespace linkerd
 step certificate create root.linkerd.cluster.local ca.crt ca.key \
  --profile root-ca --no-password --insecure &&
  kubectl create secret tls \
    linkerd-trust-anchor \
    --cert=ca.crt \
    --key=ca.key \
    --namespace=linkerd

kubectl apply -f - <<EOF
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: linkerd-trust-anchor
  namespace: linkerd
spec:
  ca:
    secretName: linkerd-trust-anchor
EOF

kubectl apply -f - <<EOF
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: linkerd-identity-issuer
  namespace: linkerd
spec:
  secretName: linkerd-trust-anchor
  duration: 48h
  renewBefore: 25h
  issuerRef:
    name: linkerd-trust-anchor
    kind: Issuer
  commonName: identity.linkerd.cluster.local
  dnsNames:
  - identity.linkerd.cluster.local
  isCA: true
  privateKey:
    algorithm: ECDSA
  usages:
  - cert sign
  - crl sign
  - server auth
  - client auth
EOF

Anything else we need to know?:

Environment details::

Kubernetes version: 1.30 / 1.29
Cloud-provider/provisioner: minikube / EKS
cert-manager version: 1.14.5
Install method: helm

/kind bug

cert-manager / cert-manager

Confusing messaging when certificate secret name already exist #7002