diff --git a/cli/Valet/Site.php b/cli/Valet/Site.php
index 2ae67658..49082568 100644
--- a/cli/Valet/Site.php
+++ b/cli/Valet/Site.php
@@ -475,17 +475,18 @@ public function secure(string $url, ?string $siteConf = null, int $certificateEx
         // Extract in order to later preserve custom PHP version config when securing
         $phpVersion = $this->customPhpVersion($url);
 
-        $this->unsecure($url);
-
+        // Create the CA if it doesn't exist.
+        // If the user cancels the trust operation, the old certificate will not be removed.
         $this->files->ensureDirExists($this->caPath(), user());
+        $caExpireInDate = (new \DateTime())->diff(new \DateTime("+{$caExpireInYears} years"));
+        $this->createCa($caExpireInDate->format('%a'));
+
+        $this->unsecure($url);
 
         $this->files->ensureDirExists($this->certificatesPath(), user());
 
         $this->files->ensureDirExists($this->nginxPath(), user());
 
-        $caExpireInDate = (new \DateTime())->diff(new \DateTime("+{$caExpireInYears} years"));
-
-        $this->createCa($caExpireInDate->format('%a'));
         $this->createCertificate($url, $certificateExpireInDays);
 
         $siteConf = $this->buildSecureNginxServer($url, $siteConf);
@@ -640,9 +641,14 @@ public function createSigningRequest(string $url, string $keyPath, string $csrPa
      */
     public function trustCa(string $caPemPath): void
     {
-        $this->cli->run(sprintf(
-            'sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain "%s"', $caPemPath
+        info('Trusting Laravel Valet Certificate Authority...');
+        $result = $this->cli->run(sprintf(
+            'sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain "%s"',
+            $caPemPath
         ));
+        if ($result) {
+            throw new DomainException('The Certificate Authority must be trusted. Please run the command again.');
+        }
     }
 
     /**