diff --git a/build/package/helm/monoskope/templates/gateway/cert-auth.yaml b/build/package/helm/monoskope/templates/gateway/cert-auth.yaml
index a90947b08..559eefce9 100644
--- a/build/package/helm/monoskope/templates/gateway/cert-auth.yaml
+++ b/build/package/helm/monoskope/templates/gateway/cert-auth.yaml
@@ -25,7 +25,7 @@ spec:
     - key encipherment
     - client auth
   privateKey:
-    rotationPolicy: Always
+    rotationPolicy: Never
     algorithm: RSA
     encoding: PKCS1
     size: 2048
diff --git a/docs/operation/04-k8s-auth.md b/docs/operation/04-k8s-auth.md
index 301183318..773b77565 100644
--- a/docs/operation/04-k8s-auth.md
+++ b/docs/operation/04-k8s-auth.md
@@ -106,3 +106,15 @@ Server Version: version.Info{Major:"1", Minor:"20", GitVersion:"v1.20.7", GitCom
 ```
 
 You're good to go!
+
+## Certificate rotation
+
+The certificate used by Monoskope to sign and verify k8s tokens has a long expire date by design. 
+
+Rotating it can be done easily using the [cert-manager CLI](https://cert-manager.io/docs/reference/cmctl/#renew)
+
+```shell
+cmctl renew m8-monoskope-tls-cert
+```
+
+For more information see [here](https://cert-manager.io/docs/usage/certificate#actions-triggering-private-key-rotation)