diff --git a/inc/vCenter-SSL.ps1 b/inc/vCenter-SSL.ps1
index d974b802..1cf84bc1 100644
--- a/inc/vCenter-SSL.ps1
+++ b/inc/vCenter-SSL.ps1
@@ -130,6 +130,7 @@ if ($paCert) {
         $needNewCert = $true
     } else {
         Write-Log INFO "Skipping issuance — certificate valid >$RenewalWindow days."
+        $needNewCert = $false
     }
 } else {
     Write-Log WARN "No existing cert found — issuance required."
@@ -200,93 +201,95 @@ foreach ($f in @($certPath,$keyPath,$chainPath)) {
     }
 }
 
-# ----------------------------
-# Add CA chain to trusted store (remove duplicates)
-# ----------------------------
-try {
-    Write-Log INFO "Cleaning old CA trust entries..."
-    $issuer = ($paCert.Issuer)
-    $existingCA = Get-VITrustedCertificate | Where-Object { $_.Subject -eq $issuer }
-    foreach ($ca in $existingCA) {
-        Remove-VITrustedCertificate -Certificate $ca -Confirm:$false -ErrorAction SilentlyContinue
-    }
-
-    $pemChain = Get-Content $chainPath -Raw
-    Write-Log INFO "Adding CA chain to vCenter trust store..."
-    Add-VITrustedCertificate -PemCertificateOrChain $pemChain -VCenterOnly -Confirm:$false | Out-Null
-
-} catch {
-    Write-Log WARN "Failed to manage CA trust entries: $($_.Exception.Message)"
-}
-
-# ----------------------------
-# Compare current vCenter cert
-# ----------------------------
-$needPush = $true
-try {
-    $vcCert = Get-VIMachineCertificate -VCenterOnly -ErrorAction Stop
-    Write-Log INFO ("Current vCenter cert: Subject={0} NotAfter={1}" -f $vcCert.Subject, $vcCert.NotValidAfter)
-
-    if ($vcCert.Thumbprint -eq $paCert.Thumbprint) {
-        Write-Log INFO "vCenter already using this certificate."
-        $needPush = $false
-    }
-} catch {
-    Write-Log WARN "Unable to read vCenter cert, assuming update required."
-}
-
-# ----------------------------
-# Apply new certificate
-# ----------------------------
-if ($needPush) {
-
-    Write-Log INFO "Applying new Machine SSL certificate..."
-
-    $leafPem = Get-Content $certPath -Raw
-    $keyPem  = Get-Content $keyPath -Raw
-
-    try {
-        Set-VIMachineCertificate -PemCertificate $leafPem -PemKey $keyPem -Confirm:$false | Out-Null
-
-        Write-Host "==========================================================="
-        Write-Host "SUCCESS: vCenter Machine SSL certificate updated." -ForegroundColor Green
-        Write-Host "==========================================================="
-
-        Write-Log INFO "Certificate updated successfully."
-
+if ($needNewCert) {
         # ----------------------------
-        # Restart vpxd service
+        # Add CA chain to trusted store (remove duplicates)
         # ----------------------------
         try {
-            Write-Log INFO "Restarting vpxd via Restart-VIApplianceService..."
-            $svc = Get-VIApplianceService -Name 'vpxd' -ErrorAction Stop
-            $null = $svc | Restart-VIApplianceService -Confirm:$false
-            Write-Log INFO "vpxd restarted successfully."
-        } catch {
-            Write-Log WARN "vpxd restart failed: $($_.Exception.Message)"
-        }
-
-        # ----------------------------
-        # Trigger Veeam rescan
-        # ----------------------------
-        if ($VEEAMHOSTSSH) {
-            try {
-                Write-Log INFO "Triggering Veeam host rescan on $VEEAMHOSTSSH..."
-                $veeamCmd = "Rescan-VBREntity -AllHosts"
-                $sshCmd = "ssh -tq -o ConnectTimeout=3 -o ConnectionAttempts=1 $VEEAMHOSTSSH '$veeamCmd'"
-                $result = bash -c $sshCmd
-                Write-Log INFO "Veeam rescan result: $result"
-            } catch {
-                Write-Log WARN "Veeam rescan failed: $($_.Exception.Message)"
+            Write-Log INFO "Cleaning old CA trust entries..."
+            $issuer = ($paCert.Issuer)
+            $existingCA = Get-VITrustedCertificate | Where-Object { $_.Subject -eq $issuer }
+            foreach ($ca in $existingCA) {
+                Remove-VITrustedCertificate -Certificate $ca -Confirm:$false -ErrorAction SilentlyContinue
             }
+
+            $pemChain = Get-Content $chainPath -Raw
+            Write-Log INFO "Adding CA chain to vCenter trust store..."
+            Add-VITrustedCertificate -PemCertificateOrChain $pemChain -VCenterOnly -Confirm:$false | Out-Null
+
+        } catch {
+            Write-Log WARN "Failed to manage CA trust entries: $($_.Exception.Message)"
         }
 
-    } catch {
-        Show-Failure $_
-    }
+        # ----------------------------
+        # Compare current vCenter cert
+        # ----------------------------
+        $needPush = $true
+        try {
+            $vcCert = Get-VIMachineCertificate -VCenterOnly -ErrorAction Stop
+            Write-Log INFO ("Current vCenter cert: Subject={0} NotAfter={1}" -f $vcCert.Subject, $vcCert.NotValidAfter)
 
-} else {
-    Write-Log INFO "No certificate update needed. Skipping vpxd restart + Veeam rescan."
+            if ($vcCert.Thumbprint -eq $paCert.Thumbprint) {
+                Write-Log INFO "vCenter already using this certificate."
+                $needPush = $false
+            }
+        } catch {
+            Write-Log WARN "Unable to read vCenter cert, assuming update required."
+        }
+
+        # ----------------------------
+        # Apply new certificate
+        # ----------------------------
+        if ($needPush) {
+
+            Write-Log INFO "Applying new Machine SSL certificate..."
+
+            $leafPem = Get-Content $certPath -Raw
+            $keyPem  = Get-Content $keyPath -Raw
+
+            try {
+                Set-VIMachineCertificate -PemCertificate $leafPem -PemKey $keyPem -Confirm:$false | Out-Null
+
+                Write-Host "==========================================================="
+                Write-Host "SUCCESS: vCenter Machine SSL certificate updated." -ForegroundColor Green
+                Write-Host "==========================================================="
+
+                Write-Log INFO "Certificate updated successfully."
+
+                # ----------------------------
+                # Restart vpxd service
+                # ----------------------------
+                try {
+                    Write-Log INFO "Restarting vpxd via Restart-VIApplianceService..."
+                    $svc = Get-VIApplianceService -Name 'vpxd' -ErrorAction Stop
+                    $null = $svc | Restart-VIApplianceService -Confirm:$false
+                    Write-Log INFO "vpxd restarted successfully."
+                } catch {
+                    Write-Log WARN "vpxd restart failed: $($_.Exception.Message)"
+                }
+
+                # ----------------------------
+                # Trigger Veeam rescan
+                # ----------------------------
+                if ($VEEAMHOSTSSH) {
+                    try {
+                        Write-Log INFO "Triggering Veeam host rescan on $VEEAMHOSTSSH..."
+                        $veeamCmd = "Rescan-VBREntity -AllHosts"
+                        $sshCmd = "ssh -tq -o ConnectTimeout=3 -o ConnectionAttempts=1 $VEEAMHOSTSSH '$veeamCmd'"
+                        $result = bash -c $sshCmd
+                        Write-Log INFO "Veeam rescan result: $result"
+                    } catch {
+                        Write-Log WARN "Veeam rescan failed: $($_.Exception.Message)"
+                    }
+                }
+
+            } catch {
+                Show-Failure $_
+            }
+
+        } else {
+            Write-Log INFO "No certificate update needed. Skipping vpxd restart + Veeam rescan."
+        }
 }
 
 # ----------------------------