Describe the bug:
In #6404 and #6500, support for OtherName and NameConstraints was added to cert-manager resp.
In both PRs however, we forgot to add logic that makes sure the Secret is up-to-date with the latest OtherName/ NameConstraints settings (see https://github.com/cert-manager/cert-manager/blob/master/pkg/util/pki/match.go).

Expected behaviour:
When I change the OtherName or NameConstraints options in a Certificate resource, the certificate should be reissued.

Environment details::

• cert-manager version: 1.14.0-alpha.0

/kind bug