diff --git a/certs/certs.go b/certs/certs.go
index 6625ec0..d2b1b40 100644
--- a/certs/certs.go
+++ b/certs/certs.go
@@ -27,6 +27,8 @@ type Certs struct {
 	ca   *certgen.CertGen
 	sn   atomic.Int64
 	r    *rescheduler.Rescheduler
+	t    *time.Ticker
+	ts   chan struct{}
 }
 
 // New creates a new cert list
@@ -37,15 +39,26 @@ func New(certDir fs.FS, keyDir fs.FS, selfCert bool) *Certs {
 		ss:   selfCert,
 		s:    &sync.RWMutex{},
 		m:    make(map[string]*tls.Certificate),
+		ts:   make(chan struct{}, 1),
 	}
 
-	// the rescheduler isn't even used in self cert mode so why initialise it
 	if !selfCert {
+		// the rescheduler isn't even used in self cert mode so why initialise it
 		c.r = rescheduler.NewRescheduler(c.threadCompile)
-	}
 
-	// in self-signed mode generate a CA certificate to sign other certificates
-	if c.ss {
+		c.t = time.NewTicker(2 * time.Hour)
+		go func() {
+			for {
+				select {
+				case <-c.t.C:
+					c.Compile()
+				case <-c.ts:
+					return
+				}
+			}
+		}()
+	} else {
+		// in self-signed mode generate a CA certificate to sign other certificates
 		ca, err := certgen.MakeCaTls(4096, pkix.Name{
 			Country:            []string{"GB"},
 			Organization:       []string{"Violet"},
@@ -118,6 +131,13 @@ func (c *Certs) Compile() {
 	c.r.Run()
 }
 
+func (c *Certs) Stop() {
+	if c.t != nil {
+		c.t.Stop()
+	}
+	close(c.ts)
+}
+
 func (c *Certs) threadCompile() {
 	// new map
 	certMap := make(map[string]*tls.Certificate)
diff --git a/cmd/violet/serve.go b/cmd/violet/serve.go
index a7c27db..4722892 100644
--- a/cmd/violet/serve.go
+++ b/cmd/violet/serve.go
@@ -183,6 +183,9 @@ func normalLoad(startUp startUpConfig, wd string) {
 	exit_reload.ExitReload("Violet", func() {
 		allCompilables.Compile()
 	}, func() {
+		// stop updating certificates
+		allowedCerts.Stop()
+
 		// close websockets first
 		ws.Shutdown()