diff --git a/roles/ssh-host-certs/files/reload-ssh-cert.path b/roles/ssh-host-certs/files/reload-ssh-cert.path
new file mode 100644
index 0000000..f4fdb71
--- /dev/null
+++ b/roles/ssh-host-certs/files/reload-ssh-cert.path
@@ -0,0 +1,11 @@
+[Unit]
+Description=Watch SSH Host certificates for renewal
+After=sshd.service
+
+[Path]
+PathChanged=/etc/ssh/ssh_host_rsa_key-cert.pub
+PathChanged=/etc/ssh/ssh_host_ecdsa_key-cert.pub
+PathChanged=/etc/ssh/ssh_host_ed25519-cert.pub
+
+[Install]
+WantedBy=paths.target
diff --git a/roles/ssh-host-certs/files/reload-ssh-cert.service b/roles/ssh-host-certs/files/reload-ssh-cert.service
new file mode 100644
index 0000000..c4f2798
--- /dev/null
+++ b/roles/ssh-host-certs/files/reload-ssh-cert.service
@@ -0,0 +1,24 @@
+[Unit]
+Description=Reload SSH daemon when certificate is renewed
+After=sshd.service
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/systemctl reload sshd
+CapabilityBoundingSet=
+NoNewPrivileges=true
+ProtectSystem=strict
+ProtectHome=true
+PrivateDevices=true
+PrivateTmp=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=yes
+RestrictAddressFamilies=AF_UNIX
+LockPersonality=true
+MemoryDenyWriteExecute=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
diff --git a/roles/ssh-host-certs/tasks/main.yml b/roles/ssh-host-certs/tasks/main.yml
index d57760e..32e47f2 100644
--- a/roles/ssh-host-certs/tasks/main.yml
+++ b/roles/ssh-host-certs/tasks/main.yml
@@ -23,6 +23,8 @@
   - ssh-host-cert-sign@.service
   - ssh-host-certs-renew.target
   - ssh-host-certs-renew.timer
+  - reload-ssh-cert.path
+  - reload-ssh-cert.service
   notify:
   - reload systemd
   tags:
@@ -48,6 +50,14 @@
   tags:
   - service
 
+- name: ensure reload-ssh-cert.path is enabled
+  systemd:
+    name: reload-ssh-cert.path
+    enabled: true
+    state: started
+  tags:
+  - service
+
 - name: ensure sshd is configured to use host certificates
   template:
     src: hostcertificate.conf.j2