diff --git a/hash.go b/hash.go
new file mode 100644
index 0000000..7b4cf31
--- /dev/null
+++ b/hash.go
@@ -0,0 +1,19 @@
+package main
+
+import (
+	"crypto/sha1"
+	"encoding/base64"
+	"encoding/json"
+)
+
+func hash(values ...interface{}) string {
+	ba, err := json.Marshal(values)
+	if err != nil {
+		panic(err) // should not happen
+	}
+
+	h := sha1.Sum(ba)
+
+	enc := base64.StdEncoding.WithPadding(base64.NoPadding)
+	return enc.EncodeToString(h[:])
+}
diff --git a/secrets.go b/secrets.go
index 1e897e1..c8eb7a4 100644
--- a/secrets.go
+++ b/secrets.go
@@ -36,8 +36,9 @@ type CA struct {
 }
 
 type KeyCert struct {
-	Key  []byte
-	Cert []byte
+	Key     []byte
+	Cert    []byte
+	ReqHash string
 }
 
 func loadSecretData(config *config.Config) (*SecretData, error) {
@@ -161,8 +162,9 @@ func (sd *SecretData) KeyCert(cluster, caName, name, profile, label string, req
 		return
 	}
 
+	rh := hash(req)
 	kc, ok := ca.Signed[name]
-	if ok {
+	if ok && rh == kc.ReqHash {
 		return
 	}
 
@@ -190,8 +192,9 @@ func (sd *SecretData) KeyCert(cluster, caName, name, profile, label string, req
 	}
 
 	kc = &KeyCert{
-		Key:  key,
-		Cert: cert,
+		Key:     key,
+		Cert:    cert,
+		ReqHash: rh,
 	}
 
 	ca.Signed[name] = kc