diff --git a/admission-webhook/cert_reloader.go b/admission-webhook/cert_reloader.go
index 6580fe7c..c7db06b9 100644
--- a/admission-webhook/cert_reloader.go
+++ b/admission-webhook/cert_reloader.go
@@ -57,6 +57,7 @@ func (cr *CertReloader) GetCertificateFunc() func(*tls.ClientHelloInfo) (*tls.Ce
 }
 
 func watchCertFiles(certLoader CertLoader) {
+	logrus.Infof("Starting certificate watcher on path %v and %v", certLoader.CertPath(), certLoader.KeyPath())
 	watcher, err := fsnotify.NewWatcher()
 	if err != nil {
 		logrus.Errorf("error creating watcher: %v", err)
@@ -69,16 +70,15 @@ func watchCertFiles(certLoader CertLoader) {
 			select {
 			case event, ok := <-watcher.Events:
 				if !ok {
+					logrus.Errorf("watcher events returned !ok: %v", err)
 					return
 				}
-				if event.Op&fsnotify.Write == fsnotify.Write || event.Op&fsnotify.Rename == fsnotify.Rename {
-					logrus.Infof("detected change in certificate file: %v", event.Name)
-					_, err := certLoader.LoadCertificate()
-					if err != nil {
-						logrus.Errorf("error reloading certificate: %v", err)
-					} else {
-						logrus.Infof("successfully reloaded certificate")
-					}
+				logrus.Infof("detected change in certificate file: %v", event.Name)
+				_, err := certLoader.LoadCertificate()
+				if err != nil {
+					logrus.Errorf("error reloading certificate: %v", err)
+				} else {
+					logrus.Infof("successfully reloaded certificate")
 				}
 			case err, ok := <-watcher.Errors:
 				if !ok {
diff --git a/admission-webhook/integration_tests/integration_test.go b/admission-webhook/integration_tests/integration_test.go
index d6e62bed..220f4b2b 100644
--- a/admission-webhook/integration_tests/integration_test.go
+++ b/admission-webhook/integration_tests/integration_test.go
@@ -443,6 +443,10 @@ func TestPossibleToUpdatePodWithNewCert(t *testing.T) {
 		t.Skip("Non chart deployment method not supported")
 	}
 
+	//give a few mins to settle rotation
+	// TODO why is this needed?!
+	time.Sleep(120 * time.Second)
+
 	testName2 := testName + "after-rotation"
 	testConfig2, tearDownFunc2 := integrationTestSetup(t, testName2, credSpecTemplates, templates)
 	defer tearDownFunc2()
diff --git a/admission-webhook/webhook.go b/admission-webhook/webhook.go
index 06f772d4..6e8722d5 100644
--- a/admission-webhook/webhook.go
+++ b/admission-webhook/webhook.go
@@ -104,6 +104,7 @@ func (webhook *webhook) start(port int, tlsConfig *tlsConfig, listeningChan chan
 		err = webhook.server.Serve(keepAliveListener)
 	} else {
 		if webhook.config.EnableCertReload {
+			logrus.Infof("Webhook certificate reload enabled")
 			certReloader := NewCertReloader(tlsConfig.crtPath, tlsConfig.keyPath)
 			_, err = certReloader.LoadCertificate()
 			if err != nil {
diff --git a/charts/gmsa/templates/issuer.yaml b/charts/gmsa/templates/issuer.yaml
index 0e083486..87ce23df 100644
--- a/charts/gmsa/templates/issuer.yaml
+++ b/charts/gmsa/templates/issuer.yaml
@@ -16,6 +16,7 @@ spec:
   {{- if .Values.certificates.certReload.enabled }}
   privateKey:
     rotationPolicy: Always
+  isCA: true
   {{- end }}
 ---
 {{ template "cert-manager.apiversion" . }}