diff --git a/src/_nebari/stages/kubernetes_services/template/forward-auth.tf b/src/_nebari/stages/kubernetes_services/template/forward-auth.tf
index 2d98bf3e6..2441b1b77 100644
--- a/src/_nebari/stages/kubernetes_services/template/forward-auth.tf
+++ b/src/_nebari/stages/kubernetes_services/template/forward-auth.tf
@@ -8,6 +8,7 @@ module "forwardauth" {
   node-group                  = var.node_groups.general
   forwardauth_middleware_name = var.forwardauth_middleware_name
   cert_secret_name            = var.cert_secret_name
+
 }
 
 variable "forwardauth_middleware_name" {
diff --git a/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/forwardauth/main.tf b/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/forwardauth/main.tf
index 564d397d1..e5ca05c91 100644
--- a/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/forwardauth/main.tf
+++ b/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/forwardauth/main.tf
@@ -162,6 +162,20 @@ resource "kubernetes_deployment" "forwardauth-deployment" {
       }
     }
   }
+
+  lifecycle {
+    # force forward auth redeployment if the cert is updated
+    replace_triggered_by = [
+      kubernetes_secret_v1.cert_secret.metadata.0.uid
+    ]
+  }
+}
+
+data "kubernetes_secret_v1" "cert_secret" {
+  metadata {
+    name      = var.cert_secret_name
+    namespace = var.namespace
+  }
 }
 
 resource "kubernetes_manifest" "forwardauth-middleware" {