diff --git a/http.go b/http.go
index 077eb9b13..36a0d0917 100644
--- a/http.go
+++ b/http.go
@@ -1,6 +1,7 @@
 package main
 
 import (
+	"context"
 	"crypto/tls"
 	"log"
 	"net"
@@ -8,6 +9,8 @@ import (
 	"strings"
 	"time"
 
+	"k8s.io/apiserver/pkg/server/dynamiccertificates"
+
 	oscrypto "github.com/openshift/library-go/pkg/crypto"
 
 	"github.com/openshift/oauth-proxy/util"
@@ -75,11 +78,19 @@ func (s *Server) ServeHTTPS() {
 	}
 
 	var err error
-	config.Certificates = make([]tls.Certificate, 1)
-	config.Certificates[0], err = tls.LoadX509KeyPair(s.Opts.TLSCertFile, s.Opts.TLSKeyFile)
+	servingCertProvider, err := dynamiccertificates.NewDynamicServingContentFromFiles("serving", s.Opts.TLSCertFile, s.Opts.TLSKeyFile)
 	if err != nil {
 		log.Fatalf("FATAL: loading tls config (%s, %s) failed - %s", s.Opts.TLSCertFile, s.Opts.TLSKeyFile, err)
 	}
+	go servingCertProvider.Run(1, context.TODO().Done())
+
+	config.GetCertificate = func(_ *tls.ClientHelloInfo) (*tls.Certificate, error) {
+		// this disregards information from ClientHello but we're not doing SNI anyway
+		cert, key := servingCertProvider.CurrentCertKeyContent()
+
+		certKeyPair, err := tls.X509KeyPair(cert, key)
+		return &certKeyPair, err
+	}
 
 	if len(s.Opts.TLSClientCAFile) > 0 {
 		config.ClientAuth = tls.RequestClientCert