diff --git a/pyproject.toml b/pyproject.toml
index 20d05c1..b5412dc 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "cosl"
-version = "0.0.26"
+version = "0.0.27"
 authors = [
   { name="sed-i", email="82407168+sed-i@users.noreply.github.com" },
 ]
diff --git a/src/cosl/coordinated_workers/coordinator.py b/src/cosl/coordinated_workers/coordinator.py
index e7e01e7..7c95091 100644
--- a/src/cosl/coordinated_workers/coordinator.py
+++ b/src/cosl/coordinated_workers/coordinator.py
@@ -249,7 +249,9 @@ def __init__(
             certificates_relation_name=self._endpoints["certificates"],
             # let's assume we don't need the peer relation as all coordinator charms will assume juju secrets
             key="coordinator-server-cert",
-            sans=[self.hostname],
+            # update certificate with new SANs whenever a worker is added/removed
+            sans=[self.hostname, *self.cluster.gather_addresses()],
+            refresh_events=[self.cluster.on.changed],
         )
 
         self.s3_requirer = S3Requirer(self._charm, self._endpoints["s3"], s3_bucket_name)
diff --git a/src/cosl/coordinated_workers/worker.py b/src/cosl/coordinated_workers/worker.py
index 5785e87..82d549c 100644
--- a/src/cosl/coordinated_workers/worker.py
+++ b/src/cosl/coordinated_workers/worker.py
@@ -6,6 +6,7 @@
 import logging
 import re
 import socket
+import subprocess
 import urllib.request
 from enum import Enum
 from functools import partial
@@ -491,8 +492,8 @@ def _update_tls_certificates(self) -> bool:
             ROOT_CA_CERT.unlink(missing_ok=True)
 
         # FIXME: uncomment as soon as the nginx image contains the ca-certificates package
-        # self._container.exec(["update-ca-certificates", "--fresh"]).wait()
-        # subprocess.run(["update-ca-certificates", "--fresh"])
+        self._container.exec(["update-ca-certificates", "--fresh"]).wait()
+        subprocess.run(["update-ca-certificates", "--fresh"])
 
         return True