diff --git a/content/docs/cli/cainjector.md b/content/docs/cli/cainjector.md
index dbbb17fd86..042465bcc6 100644
--- a/content/docs/cli/cainjector.md
+++ b/content/docs/cli/cainjector.md
@@ -25,6 +25,7 @@ Flags:
       --feature-gates mapStringBool                          A set of key=value pairs that describe feature gates for alpha/experimental features. Options are:
                                                              AllAlpha=true|false (ALPHA - default=false)
                                                              AllBeta=true|false (BETA - default=false)
+                                                             CAInjectorMerging=true|false (ALPHA - default=false)
                                                              ServerSideApply=true|false (ALPHA - default=false)
   -h, --help                                                 help for cainjector
       --kubeconfig string                                    Paths to a kubeconfig. Only required if out-of-cluster.
diff --git a/content/docs/cli/controller.md b/content/docs/cli/controller.md
index a41ad82099..e4e31d0faa 100644
--- a/content/docs/cli/controller.md
+++ b/content/docs/cli/controller.md
@@ -45,13 +45,13 @@ Flags:
                                                              ExperimentalCertificateSigningRequestControllers=true|false (ALPHA - default=false)
                                                              ExperimentalGatewayAPISupport=true|false (BETA - default=true)
                                                              LiteralCertificateSubject=true|false (BETA - default=true)
-                                                             NameConstraints=true|false (ALPHA - default=false)
+                                                             NameConstraints=true|false (BETA - default=true)
                                                              OtherNames=true|false (ALPHA - default=false)
                                                              SecretsFilteredCaching=true|false (BETA - default=true)
                                                              ServerSideApply=true|false (ALPHA - default=false)
                                                              StableCertificateRequestName=true|false (BETA - default=true)
                                                              UseCertificateRequestBasicConstraints=true|false (ALPHA - default=false)
-                                                             UseDomainQualifiedFinalizer=true|false (ALPHA - default=false)
+                                                             UseDomainQualifiedFinalizer=true|false (BETA - default=true)
                                                              ValidateCAA=true|false (ALPHA - default=false)
   -h, --help                                                 help for controller
       --issuer-ambient-credentials                           Whether an issuer may make use of ambient credentials. 'Ambient Credentials' are credentials drawn from the environment, metadata services, or local files which are not explicitly configured in the Issuer API object. When this flag is enabled, the following sources for credentials are also used: AWS - All sources the Go SDK defaults to, notably including any EC2 IAM roles available via instance metadata.
diff --git a/content/docs/cli/webhook.md b/content/docs/cli/webhook.md
index b4ef77b631..2b253b4418 100644
--- a/content/docs/cli/webhook.md
+++ b/content/docs/cli/webhook.md
@@ -26,7 +26,7 @@ Flags:
                                                              AllAlpha=true|false (ALPHA - default=false)
                                                              AllBeta=true|false (BETA - default=false)
                                                              LiteralCertificateSubject=true|false (BETA - default=true)
-                                                             NameConstraints=true|false (ALPHA - default=false)
+                                                             NameConstraints=true|false (BETA - default=true)
                                                              OtherNames=true|false (ALPHA - default=false)
       --healthz-port int32                                   port number to listen on for insecure healthz connections (default 6080)
   -h, --help                                                 help for webhook
diff --git a/content/docs/reference/api-docs.md b/content/docs/reference/api-docs.md
index f2efe54fdc..47b9498fb9 100644
--- a/content/docs/reference/api-docs.md
+++ b/content/docs/reference/api-docs.md
@@ -2167,6 +2167,17 @@ description: >-
         <p>resource ID of the managed identity, can not be used at the same time as clientID Cannot be used for Azure Managed Service Identity</p>
       </td>
     </tr>
+    <tr>
+      <td>
+        <code>tenantID</code>
+        <br />
+        <em>string</em>
+      </td>
+      <td>
+        <em>(Optional)</em>
+        <p>tenant ID of the managed identity, can not be used at the same time as resourceID</p>
+      </td>
+    </tr>
   </tbody>
 </table>
 <h3 id="acme.cert-manager.io/v1.CNAMEStrategy"> CNAMEStrategy (<code>string</code> alias) </h3>
@@ -5152,10 +5163,7 @@ description: >-
 <h3 id="cert-manager.io/v1.JKSKeystore">JKSKeystore</h3>
 <p> (<em>Appears on:</em> <a href="#cert-manager.io/v1.CertificateKeystores">CertificateKeystores</a>) </p>
 <div>
-  <p>
-    JKS configures options for storing a JKS keystore in the <code>spec.secretName</code>
-    Secret resource.
-  </p>
+  <p>JKS configures options for storing a JKS keystore in the target secret. Either PasswordSecretRef or Password must be provided.</p>
 </div>
 <table>
   <thead>
@@ -5173,11 +5181,22 @@ description: >-
       </td>
       <td>
         <p>
-          Create enables JKS keystore creation for the Certificate. If true, a file named <code>keystore.jks</code> will be created in the target Secret resource, encrypted using the password stored in <code>passwordSecretRef</code>. The keystore file will be updated immediately. If the issuer provided a CA certificate, a file named <code>truststore.jks</code> will also be created in the target Secret resource, encrypted using the password stored in <code>passwordSecretRef</code>
+          Create enables JKS keystore creation for the Certificate. If true, a file named <code>keystore.jks</code> will be created in the target Secret resource, encrypted using the password stored in <code>passwordSecretRef</code> or <code>password</code>. The keystore file will be updated immediately. If the issuer provided a CA certificate, a file named <code>truststore.jks</code> will also be created in the target Secret resource, encrypted using the password stored in <code>passwordSecretRef</code>
           containing the issuing Certificate Authority
         </p>
       </td>
     </tr>
+    <tr>
+      <td>
+        <code>alias</code>
+        <br />
+        <em>string</em>
+      </td>
+      <td>
+        <em>(Optional)</em>
+        <p> Alias specifies the alias of the key in the keystore, required by the JKS format. If not provided, the default alias <code>certificate</code> will be used. </p>
+      </td>
+    </tr>
     <tr>
       <td>
         <code>passwordSecretRef</code>
@@ -5187,18 +5206,19 @@ description: >-
         </em>
       </td>
       <td>
-        <p>PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the JKS keystore.</p>
+        <em>(Optional)</em>
+        <p>PasswordSecretRef is a reference to a non-empty key in a Secret resource containing the password used to encrypt the JKS keystore. Mutually exclusive with password. One of password or passwordSecretRef must provide a password with a non-zero length.</p>
       </td>
     </tr>
     <tr>
       <td>
-        <code>alias</code>
+        <code>password</code>
         <br />
         <em>string</em>
       </td>
       <td>
         <em>(Optional)</em>
-        <p> Alias specifies the alias of the key in the keystore, required by the JKS format. If not provided, the default alias <code>certificate</code> will be used. </p>
+        <p>Password provides a literal password used to encrypt the JKS keystore. Mutually exclusive with passwordSecretRef. One of password or passwordSecretRef must provide a password with a non-zero length.</p>
       </td>
     </tr>
   </tbody>
@@ -5526,36 +5546,48 @@ description: >-
         <em>bool</em>
       </td>
       <td>
-        <p> Create enables PKCS12 keystore creation for the Certificate. If true, a file named <code>keystore.p12</code> will be created in the target Secret resource, encrypted using the password stored in <code>passwordSecretRef</code>. The keystore file will be updated immediately. If the issuer provided a CA certificate, a file named <code>truststore.p12</code> will also be created in the target Secret resource, encrypted using the password stored in <code>passwordSecretRef</code> containing the issuing Certificate Authority </p>
+        <p> Create enables PKCS12 keystore creation for the Certificate. If true, a file named <code>keystore.p12</code> will be created in the target Secret resource, encrypted using the password stored in <code>passwordSecretRef</code> or in <code>password</code>. The keystore file will be updated immediately. If the issuer provided a CA certificate, a file named <code>truststore.p12</code> will also be created in the target Secret resource, encrypted using the password stored in <code>passwordSecretRef</code> containing the issuing Certificate Authority </p>
       </td>
     </tr>
     <tr>
       <td>
-        <code>passwordSecretRef</code>
+        <code>profile</code>
         <br />
         <em>
-          <a href="#meta.cert-manager.io/v1.SecretKeySelector">SecretKeySelector</a>
+          <a href="#cert-manager.io/v1.PKCS12Profile">PKCS12Profile</a>
         </em>
       </td>
       <td>
-        <p>PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the PKCS12 keystore.</p>
+        <em>(Optional)</em>
+        <p> Profile specifies the key and certificate encryption algorithms and the HMAC algorithm used to create the PKCS12 keystore. Default value is <code>LegacyRC2</code> for backward compatibility. </p>
+        <p>
+          If provided, allowed values are:
+          <code>LegacyRC2</code>: Deprecated. Not supported by default in OpenSSL 3 or Java 20. <code>LegacyDES</code>: Less secure algorithm. Use this option for maximal compatibility. <code>Modern2023</code>: Secure algorithm. Use this option in case you have to always use secure algorithms (eg. because of company policy). Please note that the security of the algorithm is not that important in reality, because the unencrypted certificate and private key are also stored in the Secret.
+        </p>
       </td>
     </tr>
     <tr>
       <td>
-        <code>profile</code>
+        <code>passwordSecretRef</code>
         <br />
         <em>
-          <a href="#cert-manager.io/v1.PKCS12Profile">PKCS12Profile</a>
+          <a href="#meta.cert-manager.io/v1.SecretKeySelector">SecretKeySelector</a>
         </em>
       </td>
       <td>
         <em>(Optional)</em>
-        <p> Profile specifies the key and certificate encryption algorithms and the HMAC algorithm used to create the PKCS12 keystore. Default value is <code>LegacyRC2</code> for backward compatibility. </p>
-        <p>
-          If provided, allowed values are:
-          <code>LegacyRC2</code>: Deprecated. Not supported by default in OpenSSL 3 or Java 20. <code>LegacyDES</code>: Less secure algorithm. Use this option for maximal compatibility. <code>Modern2023</code>: Secure algorithm. Use this option in case you have to always use secure algorithms (eg. because of company policy). Please note that the security of the algorithm is not that important in reality, because the unencrypted certificate and private key are also stored in the Secret.
-        </p>
+        <p>PasswordSecretRef is a reference to a non-empty key in a Secret resource containing the password used to encrypt the PKCS#12 keystore. Mutually exclusive with password. One of password or passwordSecretRef must provide a password with a non-zero length.</p>
+      </td>
+    </tr>
+    <tr>
+      <td>
+        <code>password</code>
+        <br />
+        <em>string</em>
+      </td>
+      <td>
+        <em>(Optional)</em>
+        <p>Password provides a literal password used to encrypt the PKCS#12 keystore. Mutually exclusive with passwordSecretRef. One of password or passwordSecretRef must provide a password with a non-zero length.</p>
       </td>
     </tr>
   </tbody>
@@ -7103,5 +7135,5 @@ description: >-
 </table>
 <hr />
 <p>
-  <em> Generated with <code>gen-crd-api-reference-docs</code> on git commit <code>33df0f2</code>. </em>
+  <em> Generated with <code>gen-crd-api-reference-docs</code> on git commit <code>4562b9a</code>. </em>
 </p>
diff --git a/scripts/gendocs/generate-new-import-path-docs b/scripts/gendocs/generate-new-import-path-docs
index 31592e2b56..1bbd8459df 100755
--- a/scripts/gendocs/generate-new-import-path-docs
+++ b/scripts/gendocs/generate-new-import-path-docs
@@ -153,8 +153,8 @@ LATEST_VERSION="docs" # to also upgrade a specific version, use v1.13-docs, v1.1
 #genversionwithcli "release-1.13" "v1.13-docs"
 #genversionwithcli "release-1.14" "v1.14-docs"
 #genversionwithcli "release-1.15" "v1.15-docs"
-
-genversionwithcli "release-1.16" "$LATEST_VERSION"
+#genversionwithcli "release-1.16" "v1.16-docs"
+genversionwithcli "release-1.17" "$LATEST_VERSION"
 
 # Rather than generate the same docs again for /docs, copy from the latest version