diff --git a/go.mod b/go.mod
index 075fe6a72..cae5e159a 100644
--- a/go.mod
+++ b/go.mod
@@ -15,7 +15,7 @@ require (
 	github.com/projectcalico/api v0.0.0-20230602153125-fb7148692637
 	github.com/prometheus-community/pro-bing v0.3.0
 	github.com/prometheus/client_golang v1.16.0
-	github.com/submariner-io/admiral v0.16.0
+	github.com/submariner-io/admiral v0.16.1-0.20231025063702-858d0984799c
 	github.com/submariner-io/shipyard v0.16.0
 	github.com/uw-labs/lichen v0.1.7
 	github.com/vishvananda/netlink v1.2.1-beta.2
diff --git a/go.sum b/go.sum
index d96afaae2..885e3611c 100644
--- a/go.sum
+++ b/go.sum
@@ -506,8 +506,8 @@ github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/submariner-io/admiral v0.16.0 h1:uM7A6KrNDzG/DyY0VJObVs6KMqHUhRR5eBcqEjanp1A=
-github.com/submariner-io/admiral v0.16.0/go.mod h1:GP0TCJkt444r2ONKVHKBbSPaKjJb0S5Qj0MyNUl2keQ=
+github.com/submariner-io/admiral v0.16.1-0.20231025063702-858d0984799c h1:zy5mZZrB885JAuLPqpb/RoGhtd9N9tUCFE5OGAZEzWw=
+github.com/submariner-io/admiral v0.16.1-0.20231025063702-858d0984799c/go.mod h1:GP0TCJkt444r2ONKVHKBbSPaKjJb0S5Qj0MyNUl2keQ=
 github.com/submariner-io/shipyard v0.16.0 h1:PTvp2aKNBoCkfC8nS38k+DW5ZaXNMq/wzzjGOvsiAQM=
 github.com/submariner-io/shipyard v0.16.0/go.mod h1:aKCotVktXJO3azjBOmhu/0KbRcYLY3eUcSNSDDJNbxs=
 github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
diff --git a/main.go b/main.go
index fb9816717..533ab6c68 100644
--- a/main.go
+++ b/main.go
@@ -20,12 +20,10 @@ package main
 
 import (
 	"context"
-	"crypto/x509"
 	"errors"
 	"flag"
 	"net/http"
 	"net/http/pprof"
-	"sync/atomic"
 	"time"
 
 	"github.com/kelseyhightower/envconfig"
@@ -33,8 +31,8 @@ import (
 	"github.com/submariner-io/admiral/pkg/log"
 	"github.com/submariner-io/admiral/pkg/log/kzerolog"
 	"github.com/submariner-io/admiral/pkg/names"
-	"github.com/submariner-io/admiral/pkg/resource"
 	"github.com/submariner-io/admiral/pkg/syncer/broker"
+	"github.com/submariner-io/admiral/pkg/util"
 	admversion "github.com/submariner-io/admiral/pkg/version"
 	"github.com/submariner-io/admiral/pkg/watcher"
 	subv1 "github.com/submariner-io/submariner/pkg/apis/submariner.io/v1"
@@ -44,7 +42,6 @@ import (
 	"github.com/submariner-io/submariner/pkg/natdiscovery"
 	"github.com/submariner-io/submariner/pkg/types"
 	"github.com/submariner-io/submariner/pkg/versions"
-	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/kubernetes/scheme"
 	"k8s.io/client-go/rest"
@@ -57,6 +54,7 @@ var (
 	localMasterURL  string
 	localKubeconfig string
 	showVersion     = false
+	logger          = log.Logger{Logger: logf.Log.WithName("main")}
 )
 
 func init() {
@@ -74,11 +72,6 @@ type leaderConfig struct {
 
 const leadershipConfigEnvPrefix = "leadership"
 
-var (
-	logger             = log.Logger{Logger: logf.Log.WithName("main")}
-	lastBadCertificate atomic.Value
-)
-
 func main() {
 	kzerolog.AddFlags(nil)
 	flag.Parse()
@@ -100,23 +93,12 @@ func main() {
 	submSpec := types.SubmarinerSpecification{}
 	logger.FatalOnError(envconfig.Process("submariner", &submSpec), "Error processing env vars")
 
-	logger.Info("Parsed env variables", submSpec)
+	logger.Infof("Parsed env variables: %#v", submSpec)
 	httpServer := startHTTPServer(&submSpec)
 
 	var err error
 
-	//nolint:reassign // We need to reassign ErrorHandlers to register our handler
-	utilruntime.ErrorHandlers = append(utilruntime.ErrorHandlers, func(err error) {
-		var unknownAuthorityError x509.UnknownAuthorityError
-		if errors.As(err, &unknownAuthorityError) && lastBadCertificate.Swap(unknownAuthorityError.Cert) != unknownAuthorityError.Cert {
-			logger.Errorf(err, "Certificate error: %s", resource.ToJSON(err))
-		}
-		var certificateInvalidError x509.CertificateInvalidError
-		if errors.As(err, &certificateInvalidError) && lastBadCertificate.Swap(certificateInvalidError.Cert) != certificateInvalidError.Cert {
-			logger.Errorf(err, "Certificate error: %s", resource.ToJSON(err))
-		}
-		// The generic handler has already logged the error, no need to repeat if we don't want extra detail
-	})
+	util.AddCertificateErrorHandler(submSpec.HaltOnCertError)
 
 	restConfig, err := clientcmd.BuildConfigFromFlags(localMasterURL, localKubeconfig)
 	logger.FatalOnError(err, "Error building kubeconfig")
diff --git a/pkg/types/types.go b/pkg/types/types.go
index dbd59bd30..0d9a7a9ff 100644
--- a/pkg/types/types.go
+++ b/pkg/types/types.go
@@ -45,6 +45,7 @@ type SubmarinerSpecification struct {
 	NATEnabled                    bool
 	HealthCheckEnabled            bool `default:"true"`
 	Uninstall                     bool
+	HaltOnCertError               bool `split_words:"true"`
 	HealthCheckInterval           uint
 	HealthCheckMaxPacketLossCount uint
 	MetricsPort                   string `default:"32780"`