diff --git a/controllers/soot/manager.go b/controllers/soot/manager.go
index 11b9d55a4..27e5debb3 100644
--- a/controllers/soot/manager.go
+++ b/controllers/soot/manager.go
@@ -36,9 +36,10 @@ import (
 )
 
 type sootItem struct {
-	triggers    []chan event.GenericEvent
-	cancelFn    context.CancelFunc
-	completedCh chan struct{}
+	certificateSha string
+	triggers       []chan event.GenericEvent
+	cancelFn       context.CancelFunc
+	completedCh    chan struct{}
 }
 
 type sootMap map[string]sootItem
@@ -147,7 +148,7 @@ func (m *Manager) retryTenantControlPlaneAnnotations(ctx context.Context, reques
 	})
 }
 
-//nolint:maintidx
+//nolint:maintidx,gocyclo
 func (m *Manager) Reconcile(ctx context.Context, request reconcile.Request) (res reconcile.Result, err error) {
 	// Retrieving the TenantControlPlane:
 	// in case of deletion, we must be sure to properly remove from the memory the soot manager.
@@ -189,6 +190,10 @@ func (m *Manager) Reconcile(ctx context.Context, request reconcile.Request) (res
 			// we don't want to pollute with messages due to broken connection.
 			// Once the TCP will be ready again, the event will be intercepted and the manager started back.
 			return reconcile.Result{}, m.cleanup(ctx, request, tcp)
+		case tcp.Status.KubeConfig.Admin.Checksum != v.certificateSha:
+			// The stored kubeconfig to access the Tenant Control Plane has changed:
+			// we need to clean-up and requeue to fetch the updated value.
+			return reconcile.Result{RequeueAfter: time.Second}, m.cleanup(ctx, request, tcp)
 		default:
 			for _, trigger := range v.triggers {
 				var shrunkTCP kamajiv1alpha1.TenantControlPlane
@@ -394,6 +399,7 @@ func (m *Manager) Reconcile(ctx context.Context, request reconcile.Request) (res
 	}()
 
 	m.sootMap[request.NamespacedName.String()] = sootItem{
+		certificateSha: tcp.Status.KubeConfig.Admin.Checksum,
 		triggers: []chan event.GenericEvent{
 			writePermissions.TriggerChannel,
 			migrate.TriggerChannel,