diff --git a/pkg/controller/monitoring.go b/pkg/controller/monitoring.go
index 0e5b2e2df6d..e830c03cded 100644
--- a/pkg/controller/monitoring.go
+++ b/pkg/controller/monitoring.go
@@ -18,6 +18,7 @@ import (
 	"context"
 	"fmt"
 	"log"
+	"strings"
 	"time"
 
 	"github.com/minio/madmin-go/v3"
@@ -120,6 +121,42 @@ func (c *Controller) updateHealthStatusForTenant(tenant *miniov2.Tenant) error {
 	if err != nil {
 		// show the error and continue
 		klog.Infof("'%s/%s' Failed to get cluster health: %v", tenant.Namespace, tenant.Name, err)
+		if strings.Contains(err.Error(), "failed to verify certificate") {
+			externalCertSecret := tenant.Spec.ExternalCertSecret
+			klog.Info("Let's check if there is an external cert for the tenant...")
+			if externalCertSecret != nil {
+				// Check that there is a secret that starts with "operator-ca-tls-" to proceed with the renewal
+				secretsAvailableAtOperatorNS, _ := c.kubeClientSet.CoreV1().Secrets(miniov2.GetNSFromFile()).List(context.Background(), metav1.ListOptions{})
+				for _, secret := range secretsAvailableAtOperatorNS.Items {
+					// Check if secret starts with "operator-ca-tls-"
+					secretName := OperatorCATLSSecretName + "-"
+					if strings.HasPrefix(secret.Name, secretName) {
+						klog.Infof("External secret found: %s", secret.Name)
+						klog.Info("We are going to renew the external certificate for the tenant...")
+						// Steps:
+						// 1. Delete the secret that starts with operator-ca-tls- because it is expired
+						c.kubeClientSet.CoreV1().Secrets(miniov2.GetNSFromFile()).Delete(context.Background(), secret.Name, metav1.DeleteOptions{})
+						// 2. Get the new certificate generated by cert-manager
+						tenantSecretName := tenant.Spec.ExternalCertSecret[0].Name
+						data, _ := c.kubeClientSet.CoreV1().Secrets(tenant.Namespace).Get(context.Background(), tenantSecretName, metav1.GetOptions{})
+						CACertificate := data.Data["0"]
+						// 3. Create the new secret that contains the new certificate
+						newSecret := &corev1.Secret{
+							Type: "Opaque",
+							ObjectMeta: metav1.ObjectMeta{
+								Name:      secret.Name,
+								Namespace: miniov2.GetNSFromFile(),
+							},
+							Data: map[string][]byte{
+								"ca.crt": CACertificate,
+							},
+						}
+						c.kubeClientSet.CoreV1().Secrets(miniov2.GetNSFromFile()).Create(context.Background(), newSecret, metav1.CreateOptions{})
+						// 4. Rollout the Operator Deployment to use new certificate and trust the tenant.
+					}
+				}
+			}
+		}
 		return nil
 	}