User can't set args mentioned in upstream doc. For example, there is customer about using additional certificate output formats like DER, related doc is https://cert-manager.io/docs/usage/certificate/#additional-certificate-output-formats , it mentions needed args --feature-gates=AdditionalCertificateOutputFormats=true .

v1.10.2 cert-manager operator installed in 4.12 env

Always

1. Install RH cert-manager operator

2. $ oc patch certmanager/cluster --type=merge -p '{"spec":{"controllerConfig":{"overrideArgs":["--feature-gates=AdditionalCertificateOutputFormats=true"]},"webhookConfig":{"overrideArgs":["--feature-gates=AdditionalCertificateOutputFormats=true"]}}}'

3. Check if cert-manager pods are renewed.
$ oc get po -n cert-manager
NAME                                       READY   STATUS    RESTARTS   AGE
cert-manager-6d4b5d4c97-c5kj2              1/1     Running   0          177m
cert-manager-cainjector-866c4fd758-782pw   1/1     Running   0          178m
cert-manager-webhook-6d48f88495-tlswl      1/1     Running   0          178m

Check cert-manager-operator pod's logs:
$ oc logs cert-manager-operator-controller-manager-f46668b78-vjgqd -n cert-manager-operator

3. cert-manager pods are NOT renewed. cert-manager-operator pod's logs show:
$ oc logs cert-manager-operator-controller-manager-f46668b78-vjgqd -n cert-manager-operator
...
E0412 06:42:51.322088       1 base_controller.go:272] cert-manager-webhook-deployment reconciliation failed: error running hook function (index=2): validation failed due to unsupported arg "--feature-gates"="AdditionalCertificateOutputFormats=true"

Should allow users to set args mentioned in upstream doc. There are more args: https://cert-manager.io/docs/cli/controller/

User has to use workaround but which is not official supported:
$ oc patch certmanager/cluster --type=merge -p '{"spec":{"managementState":"Unmanaged"}}'

$ oc patch deployment/cert-manager -n cert-manager --type json -p '[{"op": "add", "path": "/spec/template/spec/containers/0/args/-", "value": "--feature-gates=AdditionalCertificateOutputFormats=true"}]'
deployment.apps/cert-manager patched

$ oc patch deployment/cert-manager-webhook -n cert-manager --type json -p '[{"op": "add", "path": "/spec/template/spec/containers/0/args/-", "value": "--feature-gates=AdditionalCertificateOutputFormats=true"}]'
deployment.apps/cert-manager-webhook patched

Pods are renewed:
$ oc get po -n cert-manager
NAME                                       READY   STATUS    RESTARTS   AGE
cert-manager-5ddc6cb5ff-k4wks              1/1     Running   0          114s
cert-manager-cainjector-866c4fd758-782pw   1/1     Running   0          3h39m
cert-manager-webhook-55b49fcd57-sx4jt      1/1     Running   0          56s

$ oc create -f selfsigned-issuer.yaml

$ oc create -f certificate-from-selfsigned-issuer-AdditionalCertificateOutputFormats.yaml
certificate.cert-manager.io/my-selfsigned-ca created

$ cat certificate-from-selfsigned-issuer-AdditionalCertificateOutputFormats.yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: my-selfsigned-ca
spec:
  additionalOutputFormats:
  - type: CombinedPEM
  - type: DER
  commonName: my-selfsigned-ca
  isCA: true
  issuerRef:
    name: selfsigned-issuer
    kind: Issuer
    group: cert-manager.io
  privateKey:
    algorithm: ECDSA
    size: 256
  secretName: my-root-secret

Cert is "READY":
$ oc get cert
NAME               READY   SECRET           AGE
my-selfsigned-ca   True    my-root-secret   66s

The cert's corresponding secret includes additional output formats: tls-combined.pem, key.der
$ oc extract secret/my-root-secret --confirm
tls.key
ca.crt
key.der
tls-combined.pem
tls.crt

$ cat tls-combined.pem
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIA1zmQqRK5AKblGan67LmNALdLvPYZ/EllGPMf0rk8NQoAoGCCqGSM49
...
-----END EC PRIVATE KEY-----

-----BEGIN CERTIFICATE-----
MIIBdzCCAR2gAwIBAgIRAOY3TrdaLqtR/SUEQDmjruUwCgYIKoZIzj0EAwIwGzEZ
...
-----END CERTIFICATE-----

$ file key.der
key.der: data