diff --git a/CHANGELOG.md b/CHANGELOG.md
index 929f97efc4..39010572e3 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -54,6 +54,7 @@ BUG FIXES:
 * Fix VM actions where Workspace shared storage doesn't allow shared key access ([#4222](https://github.com/microsoft/AzureTRE/issues/4222))
 * Fix public exposure in Guacamole service ([[#4199](https://github.com/microsoft/AzureTRE/issues/4199)])
 * Fix Azure ML network tags to use name rather than ID ([[#4151](https://github.com/microsoft/AzureTRE/issues/4151)])
+* Certs shared service: Secret nexus-ssl-password is currently in a deleted but recoverable state ([#4294](https://github.com/microsoft/AzureTRE/issues/4294)])
 
 COMPONENTS:
 
diff --git a/templates/shared_services/certs/porter.yaml b/templates/shared_services/certs/porter.yaml
index 92de8ee40d..0a469d8453 100755
--- a/templates/shared_services/certs/porter.yaml
+++ b/templates/shared_services/certs/porter.yaml
@@ -1,7 +1,7 @@
 ---
 schemaVersion: 1.0.0
 name: tre-shared-service-certs
-version: 0.7.2
+version: 0.7.3
 description: "An Azure TRE shared service to generate certificates for a specified internal domain using Letsencrypt"
 registry: azuretre
 dockerfile: Dockerfile.tmpl
@@ -88,6 +88,7 @@ install:
         - name: storage_account_name
         - name: resource_group_name
         - name: keyvault_name
+        - name: password_name
   - az:
       description: "Set Azure Cloud Environment"
       arguments:
@@ -114,6 +115,7 @@ install:
         resource_group_name: ${ bundle.outputs.resource_group_name }
         keyvault_name: ${ bundle.outputs.keyvault_name }
         cert_name: ${ bundle.parameters.cert_name }
+        password_name: ${ bundle.outputs.password_name }
   - az:
       description: "Stop application gateway"
       arguments:
@@ -167,6 +169,7 @@ renew:
         - name: storage_account_name
         - name: resource_group_name
         - name: keyvault_name
+        - name: password_name
   - az:
       description: "Set Azure Cloud Environment"
       arguments:
@@ -202,6 +205,7 @@ renew:
         resource_group_name: ${ bundle.outputs.resource_group_name }
         keyvault_name: ${ bundle.outputs.keyvault_name }
         cert_name: ${ bundle.parameters.cert_name }
+        password_name: ${ bundle.outputs.password_name }
   - az:
       description: "Stop application gateway"
       arguments:
diff --git a/templates/shared_services/certs/scripts/letsencrypt.sh b/templates/shared_services/certs/scripts/letsencrypt.sh
index 4339990f43..bd88397215 100755
--- a/templates/shared_services/certs/scripts/letsencrypt.sh
+++ b/templates/shared_services/certs/scripts/letsencrypt.sh
@@ -29,6 +29,10 @@ while [ "$1" != "" ]; do
         shift
         cert_name=$1
         ;;
+    --password_name)
+        shift
+        password_name=$1
+        ;;
     *)
         echo "Unexpected argument: '$1'"
         usage
@@ -122,8 +126,8 @@ sid=$(az keyvault certificate import \
     --password "${CERT_PASSWORD}" \
     | jq -r '.sid')
 
-echo "Saving certificate password to KV with key ${cert_name}-password"
-az keyvault secret set --name "${cert_name}"-password \
+echo "Saving certificate password to KV with key ${password_name}"
+az keyvault secret set --name "$password_name" \
   --vault-name "${keyvault_name}" \
   --value "${CERT_PASSWORD}"
 
diff --git a/templates/shared_services/certs/terraform/certificate.tf b/templates/shared_services/certs/terraform/certificate.tf
index 0a825c491d..105a74a084 100644
--- a/templates/shared_services/certs/terraform/certificate.tf
+++ b/templates/shared_services/certs/terraform/certificate.tf
@@ -36,3 +36,17 @@ resource "azurerm_key_vault_certificate" "tlscert" {
   }
 
 }
+
+# pre-create in advance of the real password being created
+# so if there is a deleted secret it will be recovered
+#
+resource "azurerm_key_vault_secret" "cert_password" {
+  name         = local.password_name
+  value        = "0000000000"
+  key_vault_id = data.azurerm_key_vault.key_vault.id
+
+  # The password will get replaced with a real one, so we don't want Terraform to try and revert it.
+  lifecycle {
+    ignore_changes = all
+  }
+}
diff --git a/templates/shared_services/certs/terraform/locals.tf b/templates/shared_services/certs/terraform/locals.tf
index eb6e2bc676..19aa23c554 100644
--- a/templates/shared_services/certs/terraform/locals.tf
+++ b/templates/shared_services/certs/terraform/locals.tf
@@ -26,4 +26,5 @@ locals {
 
   cmk_name                 = "tre-encryption-${var.tre_id}"
   encryption_identity_name = "id-encryption-${var.tre_id}"
+  password_name            = "${var.cert_name}-password"
 }
diff --git a/templates/shared_services/certs/terraform/outputs.tf b/templates/shared_services/certs/terraform/outputs.tf
index 882e91b2da..27a153dd53 100644
--- a/templates/shared_services/certs/terraform/outputs.tf
+++ b/templates/shared_services/certs/terraform/outputs.tf
@@ -17,3 +17,7 @@ output "resource_group_name" {
 output "keyvault_name" {
   value = data.azurerm_key_vault.key_vault.name
 }
+
+output "password_secret_name" {
+  value = local.password_secret_name
+}