diff --git a/charts/dsv-injector/templates/webhook.yaml b/charts/dsv-injector/templates/webhook.yaml
index c81f080..1d0e30b 100644
--- a/charts/dsv-injector/templates/webhook.yaml
+++ b/charts/dsv-injector/templates/webhook.yaml
@@ -1,5 +1,13 @@
 {{- $tlsCert := genSelfSignedCert (include "dsv.dnsname" .) nil (list (include "dsv.dnsname" .) (include "dsv.name" .)) (default 365 .Values.webhookCertExpireDays | int) -}}
 {{- $tlsSecret := lookup "v1" "Secret" .Release.Namespace (printf "%s-tls" (include "dsv.name" .)) -}}
+{{- $recreateSelfSignedCertThreshold := default 90 .Values.recreateSelfSignedCertThreshold | int -}}
+{{- $needsRecreate := false -}}
+{{- if $tlsSecret }}
+  {{- $cert := $tlsSecret.data.cert | b64dec | fromYaml -}}
+  {{- if and $cert (lt (now | date "2006-01-02" | dateAdd (mul $recreateSelfSignedCertThreshold 24h)) ($cert | date "2006-01-02")) }}
+    {{- $needsRecreate = true -}}
+  {{- end -}}
+{{- end -}}
 ---
 apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration
@@ -19,7 +27,7 @@ webhooks:
     clientConfig:
 {{- if eq .Values.service.type "ExternalName" }}
       caBundle: {{ .Values.caBundle }}
-{{- else if $tlsSecret }}
+{{- else if and $tlsSecret (not $needsRecreate) }}
       caBundle: {{ $tlsSecret.data.cert }}
 {{- else }}
       caBundle: {{ $tlsCert.Cert | b64enc }}
@@ -38,7 +46,7 @@ kind: Secret
 metadata:
   name: {{ include "dsv.name" . }}-tls
 data:
-{{- if $tlsSecret }}
+{{- if and $tlsSecret (not $needsRecreate) }}
   cert.pem: {{ $tlsSecret.data.cert }}
   key.pem: {{ $tlsSecret.data.key }}
 {{- else }}
diff --git a/charts/dsv-injector/values.yaml b/charts/dsv-injector/values.yaml
index e1e9a5f..6c7af43 100644
--- a/charts/dsv-injector/values.yaml
+++ b/charts/dsv-injector/values.yaml
@@ -120,3 +120,11 @@ configmap:
   # DSV_CREDENTIALS_JSON:
   # DSV_SERVER_ADDRESS:
   # DSV_DEBUG: 'true'  # Warning: if passing boolean, use quoted string to avoid issues
+
+# -- webhookCertExpireDays specifies the number of days before the webhook certificate expires
+# @default -- 365
+webhookCertExpireDays: 365
+
+# -- recreateSelfSignedCertThreshold specifies the number of days before the self-signed certificate expires
+# @default -- 90
+recreateSelfSignedCertThreshold: 90