diff --git a/staging/src/k8s.io/client-go/util/certificate/csr/csr.go b/staging/src/k8s.io/client-go/util/certificate/csr/csr.go
index 13e6cf3e106..9cc4be8ea0d 100644
--- a/staging/src/k8s.io/client-go/util/certificate/csr/csr.go
+++ b/staging/src/k8s.io/client-go/util/certificate/csr/csr.go
@@ -112,18 +112,25 @@ func WaitForCertificate(ctx context.Context, client certificatesclient.Certifica
 			if csr.UID != req.UID {
 				return false, fmt.Errorf("csr %q changed UIDs", csr.Name)
 			}
+			approved := false
 			for _, c := range csr.Status.Conditions {
 				if c.Type == certificates.CertificateDenied {
-					return false, fmt.Errorf("certificate signing request is not approved, reason: %v, message: %v", c.Reason, c.Message)
+					return false, fmt.Errorf("certificate signing request is denied, reason: %v, message: %v", c.Reason, c.Message)
+				}
+				if c.Type == certificates.CertificateFailed {
+					return false, fmt.Errorf("certificate signing request failed, reason: %v, message: %v", c.Reason, c.Message)
 				}
 				if c.Type == certificates.CertificateApproved {
-					if csr.Status.Certificate != nil {
-						klog.V(2).Infof("certificate signing request %s is issued", csr.Name)
-						return true, nil
-					}
-					klog.V(2).Infof("certificate signing request %s is approved, waiting to be issued", csr.Name)
+					approved = true
 				}
 			}
+			if approved {
+				if csr.Status.Certificate != nil {
+					klog.V(2).Infof("certificate signing request %s is issued", csr.Name)
+					return true, nil
+				}
+				klog.V(2).Infof("certificate signing request %s is approved, waiting to be issued", csr.Name)
+			}
 			return false, nil
 		},
 	)