diff --git a/site-modules/profile/manifests/puppet/master.pp b/site-modules/profile/manifests/puppet/master.pp
index 74edf56d..5ab11f85 100644
--- a/site-modules/profile/manifests/puppet/master.pp
+++ b/site-modules/profile/manifests/puppet/master.pp
@@ -1,29 +1,37 @@
 # Puppet master profile
 class profile::puppet::master {
   $puppetdb = lookup('puppet::master::puppetdb')
 
   include ::profile::puppet::base
 
   class { '::puppet':
     server                      => true,
     server_common_modules_path  => '',
     server_environments         => [],
     server_external_nodes       => '',
     server_foreman              => false,
     server_passenger            => true,
     server_puppetdb_host        => $puppetdb,
     server_reports              => 'store,puppetdb',
     server_storeconfigs_backend => 'puppetdb',
 
     *                           => $::profile::puppet::base::agent_config,
   }
 
   file { '/usr/local/sbin/swh-puppet-master-deploy':
     ensure  => 'file',
     owner   => 'root',
     group   => 'root',
     mode    => '0755',
     content => template('profile/puppet/swh-puppet-master-deploy.sh.erb'),
   }
 
+  file { '/usr/local/sbin/swh-puppet-master-clean-certificate':
+    ensure  => 'file',
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0755',
+    content => template('profile/puppet/swh-puppet-master-clean-certificate.sh.erb'),
+  }
+
 }
diff --git a/site-modules/profile/templates/puppet/swh-puppet-master-clean-certificate.sh.erb b/site-modules/profile/templates/puppet/swh-puppet-master-clean-certificate.sh.erb
new file mode 100644
index 00000000..64c0bb73
--- /dev/null
+++ b/site-modules/profile/templates/puppet/swh-puppet-master-clean-certificate.sh.erb
@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+
+# Use:
+# $0 CERTNAME
+
+# Example:
+# $0 storage0.internal.staging.swh.network
+
+set -x
+
+CERTNAME=$1
+puppet node deactivate $CERTNAME
+puppet cert clean $CERTNAME
+systemctl restart apache2