diff --git a/internal/controller/apicerts/certs_expirer_test.go b/internal/controller/apicerts/certs_expirer_test.go
index da1dd1ca..49ad3beb 100644
--- a/internal/controller/apicerts/certs_expirer_test.go
+++ b/internal/controller/apicerts/certs_expirer_test.go
@@ -7,8 +7,9 @@ package apicerts
 
 import (
 	"context"
+	"crypto/ecdsa"
+	"crypto/elliptic"
 	"crypto/rand"
-	"crypto/rsa"
 	"crypto/x509"
 	"errors"
 	"testing"
@@ -197,11 +198,12 @@ func TestExpirerControllerSync(t *testing.T) {
 		{
 			name: "parse cert failure",
 			fillSecretData: func(t *testing.T, m map[string][]byte) {
-				privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
+				privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 				require.NoError(t, err)
 
 				// See certs_manager.go for this constant.
-				m["tlsCertificateChain"] = x509.MarshalPKCS1PrivateKey(privateKey)
+				m["tlsCertificateChain"], err = x509.MarshalPKCS8PrivateKey(privateKey)
+				require.NoError(t, err)
 			},
 			wantDelete: false,
 		},
diff --git a/internal/testutil/certs.go b/internal/testutil/certs.go
index f404969f..67e1c0c5 100644
--- a/internal/testutil/certs.go
+++ b/internal/testutil/certs.go
@@ -6,8 +6,9 @@ SPDX-License-Identifier: Apache-2.0
 package testutil
 
 import (
+	"crypto/ecdsa"
+	"crypto/elliptic"
 	"crypto/rand"
-	"crypto/rsa"
 	"crypto/tls"
 	"crypto/x509"
 	"crypto/x509/pkix"
@@ -82,7 +83,7 @@ func (v *ValidCert) RequireMatchesPrivateKey(keyPEM string) {
 // There is nothing very special about the certificate that it creates, just
 // that it is a valid certificate that can be used for testing.
 func CreateCertificate(notBefore, notAfter time.Time) ([]byte, error) {
-	privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
+	privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 	if err != nil {
 		return nil, err
 	}