diff --git a/site-modules/profile/manifests/puppet/master.pp b/site-modules/profile/manifests/puppet/master.pp
--- a/site-modules/profile/manifests/puppet/master.pp
+++ b/site-modules/profile/manifests/puppet/master.pp
@@ -26,4 +26,12 @@
     content => template('profile/puppet/swh-puppet-master-deploy.sh.erb'),
   }
 
+  file { '/usr/local/sbin/swh-puppet-master-clean-certificate':
+    ensure  => 'file',
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0755',
+    content => template('profile/puppet/swh-puppet-master-clean-certificate.sh.erb'),
+  }
+
 }
diff --git a/site-modules/profile/templates/puppet/swh-puppet-master-clean-certificate.sh.erb b/site-modules/profile/templates/puppet/swh-puppet-master-clean-certificate.sh.erb
new file mode 100644
--- /dev/null
+++ b/site-modules/profile/templates/puppet/swh-puppet-master-clean-certificate.sh.erb
@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+
+# Use:
+# $0 CERTNAME
+
+# Example:
+# $0 storage0.internal.staging.swh.network
+
+set -x
+
+CERTNAME=$1
+puppet node deactivate $CERTNAME
+puppet cert clean $CERTNAME
+systemctl restart apache2