diff --git a/operators/multiclusterobservability/controllers/placementrule/manifestwork.go b/operators/multiclusterobservability/controllers/placementrule/manifestwork.go
index 3df1763f8..5b72f1157 100644
--- a/operators/multiclusterobservability/controllers/placementrule/manifestwork.go
+++ b/operators/multiclusterobservability/controllers/placementrule/manifestwork.go
@@ -471,7 +471,7 @@ func createUpdateResourcesForHubMetricsCollection(c client.Client, manifests []w
 		log.Info("MCO Operator is terminating, skip creating resources for hub metrics collection")
 		return nil
 	}
-
+	updateMtlsCert := false
 	hubManifestCopy = make([]workv1.Manifest, len(manifests))
 	for i, manifest := range manifests {
 		obj := manifest.RawExtension.Object.DeepCopyObject()
@@ -534,6 +534,9 @@ func createUpdateResourcesForHubMetricsCollection(c client.Client, manifests []w
 		}
 
 		if k8serrors.IsNotFound(err) {
+			if obj.GetName() == operatorconfig.ClientCACertificateCN {
+				updateMtlsCert = true
+			}
 			err = c.Create(context.TODO(), obj)
 			if err != nil {
 				log.Error(err, "Failed to create resource", "kind", obj.GetObjectKind().GroupVersionKind().Kind)
@@ -602,6 +605,9 @@ func createUpdateResourcesForHubMetricsCollection(c client.Client, manifests []w
 			}
 
 			if needsUpdate {
+				if obj.GetName() == operatorconfig.ClientCACertificateCN {
+					updateMtlsCert = true
+				}
 				err = c.Update(context.TODO(), obj)
 				if err != nil {
 					log.Error(err, "Failed to update resource", "kind", obj.GetObjectKind().GroupVersionKind().Kind)
@@ -611,7 +617,7 @@ func createUpdateResourcesForHubMetricsCollection(c client.Client, manifests []w
 		}
 	}
 
-	err := cert_controller.CreateMtlsCertSecretForHubCollector(c)
+	err := cert_controller.CreateUpdateMtlsCertSecretForHubCollector(c, updateMtlsCert)
 	if err != nil {
 		log.Error(err, "Failed to create client cert secret for hub metrics collection")
 		return err
diff --git a/operators/multiclusterobservability/pkg/certificates/certificates.go b/operators/multiclusterobservability/pkg/certificates/certificates.go
index caa3792e0..6e80a48fd 100644
--- a/operators/multiclusterobservability/pkg/certificates/certificates.go
+++ b/operators/multiclusterobservability/pkg/certificates/certificates.go
@@ -502,7 +502,7 @@ func CreateCSR() ([]byte, []byte) {
 	return csr, privateKey
 }
 
-func CreateMtlsCertSecretForHubCollector(c client.Client) error {
+func CreateUpdateMtlsCertSecretForHubCollector(c client.Client, updateMtlsCert bool) error {
 	csrBytes, privateKeyBytes := CreateCSR()
 	csr := &certificatesv1.CertificateSigningRequest{
 		Spec: certificatesv1.CertificateSigningRequestSpec{
@@ -514,23 +514,41 @@ func CreateMtlsCertSecretForHubCollector(c client.Client) error {
 	if signedClientCert == nil {
 		log.Error(nil, "failed to sign CSR")
 		return errors.NewBadRequest("failed to sign CSR")
-	} else {
-		//Create a secret
-		HubMtlsSecret := &corev1.Secret{
-			ObjectMeta: metav1.ObjectMeta{
-				Name:      operatorconfig.HubMetricsCollectorMtlsCert,
-				Namespace: config.GetDefaultNamespace(),
-			},
-			Data: map[string][]byte{
-				"tls.crt": signedClientCert,
-				"tls.key": privateKeyBytes,
-			},
+	}
+	//Create a secret
+	HubMtlsSecret := &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      operatorconfig.HubMetricsCollectorMtlsCert,
+			Namespace: config.GetDefaultNamespace(),
+		},
+		Data: map[string][]byte{
+			"tls.crt": signedClientCert,
+			"tls.key": privateKeyBytes,
+		},
+	}
+	err := c.Create(context.TODO(), HubMtlsSecret)
+	if err != nil && !errors.IsAlreadyExists(err) {
+		log.Error(err, "Failed to create secret", "name", operatorconfig.HubMetricsCollectorMtlsCert)
+		return err
+	}
+	if errors.IsAlreadyExists(err) && updateMtlsCert {
+		err := c.Get(context.TODO(), types.NamespacedName{
+			Name:      operatorconfig.HubMetricsCollectorMtlsCert,
+			Namespace: config.GetDefaultNamespace(),
+		}, HubMtlsSecret)
+		if err != nil {
+			log.Error(err, "Failed to get secret", "name", operatorconfig.HubMetricsCollectorMtlsCert)
+			return err
 		}
-		err := c.Create(context.TODO(), HubMtlsSecret)
-		if err != nil && !errors.IsAlreadyExists(err) {
-			log.Error(err, "Failed to create secret", "name", operatorconfig.HubMetricsCollectorMtlsCert)
+		HubMtlsSecret.Data["tls.crt"] = signedClientCert
+		HubMtlsSecret.Data["tls.key"] = privateKeyBytes
+		err = c.Update(context.TODO(), HubMtlsSecret)
+		if err != nil {
+			log.Error(err, "Failed to update secret", "name", operatorconfig.HubMetricsCollectorMtlsCert)
 			return err
 		}
+
 	}
+
 	return nil
 }