diff --git a/charts/nginx-gateway-fabric/templates/certs-job.yaml b/charts/nginx-gateway-fabric/templates/certs-job.yaml
index 506487aa88..a5e1325f01 100644
--- a/charts/nginx-gateway-fabric/templates/certs-job.yaml
+++ b/charts/nginx-gateway-fabric/templates/certs-job.yaml
@@ -7,7 +7,11 @@ metadata:
   labels:
   {{- include "nginx-gateway.labels" . | nindent 4 }}
   annotations:
-    "helm.sh/hook": pre-install
+  {{- with .Values.certGenerator.annotations }}
+  {{- toYaml . | nindent 4 }}
+  {{- end }}
+    "helm.sh/hook": pre-install, pre-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation
 automountServiceAccountToken: false
 {{- if or .Values.nginxGateway.serviceAccount.imagePullSecret .Values.nginxGateway.serviceAccount.imagePullSecrets }}
 imagePullSecrets:
@@ -29,7 +33,11 @@ metadata:
   labels:
   {{- include "nginx-gateway.labels" . | nindent 4 }}
   annotations:
-    "helm.sh/hook": pre-install
+  {{- with .Values.certGenerator.annotations }}
+  {{- toYaml . | nindent 4 }}
+  {{- end }}
+    "helm.sh/hook": pre-install, pre-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation
 rules:
 - apiGroups:
   - ""
@@ -48,7 +56,11 @@ metadata:
   labels:
   {{- include "nginx-gateway.labels" . | nindent 4 }}
   annotations:
-    "helm.sh/hook": pre-install
+  {{- with .Values.certGenerator.annotations }}
+  {{- toYaml . | nindent 4 }}
+  {{- end }}
+    "helm.sh/hook": pre-install, pre-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
@@ -67,7 +79,8 @@ metadata:
   {{- include "nginx-gateway.labels" . | nindent 4 }}
   annotations:
     "helm.sh/hook-weight": "-1"
-    "helm.sh/hook": pre-install
+    "helm.sh/hook": pre-install, pre-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation
 allowPrivilegeEscalation: false
 allowHostDirVolumePlugin: false
 allowHostIPC: false
@@ -110,16 +123,17 @@ metadata:
   labels:
   {{- include "nginx-gateway.labels" . | nindent 4 }}
   annotations:
-  {{- with .Values.certGenerator.annotations -}}
-  {{ toYaml . | nindent 4 }}
+  {{- with .Values.certGenerator.annotations }}
+  {{- toYaml . | nindent 4 }}
   {{- end }}
     "helm.sh/hook": pre-install, pre-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded
 spec:
   template:
     metadata:
       annotations:
-      {{- with .Values.certGenerator.annotations -}}
-      {{ toYaml . | nindent 8 }}
+      {{- with .Values.certGenerator.annotations }}
+      {{- toYaml . | nindent 8 }}
       {{- end }}
     spec:
       automountServiceAccountToken: true