diff --git a/pkg/tls/certRenewer.go b/pkg/tls/certRenewer.go
index 54158fe095..95dd3cb971 100644
--- a/pkg/tls/certRenewer.go
+++ b/pkg/tls/certRenewer.go
@@ -332,6 +332,41 @@ func (c *CertRenewer) RollingUpdate() error {
 func (c *CertRenewer) ValidCert() (bool, error) {
 	logger := c.log.WithName("ValidCert")
 
+	certProps, err := GetTLSCertProps(c.clientConfig)
+	if err != nil {
+		return false, nil
+	}
+	var managedByKyverno bool
+	snameTLS := generateTLSPairSecretName(certProps)
+	snameCA := generateRootCASecretName(certProps)
+	unstrSecret, err := c.client.GetResource("", "Secret", certProps.Namespace, snameTLS)
+	if err != nil {
+		return false, nil
+	}
+
+	if label, ok := unstrSecret.GetLabels()[ManagedByLabel]; ok {
+		managedByKyverno = label == "kyverno"
+	}
+
+	_, ok := unstrSecret.GetAnnotations()[MasterDeploymentUID]
+	if managedByKyverno && !ok {
+		return false, nil
+	}
+
+	unstrSecret, err = c.client.GetResource("", "Secret", certProps.Namespace, snameCA)
+	if err != nil {
+		return false, nil
+	}
+
+	if label, ok := unstrSecret.GetLabels()[ManagedByLabel]; ok {
+		managedByKyverno = label == "kyverno"
+	}
+
+	_, ok = unstrSecret.GetAnnotations()[MasterDeploymentUID]
+	if managedByKyverno && !ok {
+		return false, nil
+	}
+
 	rootCA, err := ReadRootCASecret(c.clientConfig, c.client)
 	if err != nil {
 		return false, errors.Wrap(err, "unable to read CA from secret")