diff --git a/src/main/lens-proxy/lens-proxy-certificate.injectable.ts b/src/main/lens-proxy/lens-proxy-certificate.injectable.ts
index 3b5eb08a7a..5b328cecf4 100644
--- a/src/main/lens-proxy/lens-proxy-certificate.injectable.ts
+++ b/src/main/lens-proxy/lens-proxy-certificate.injectable.ts
@@ -3,40 +3,21 @@
  * Licensed under MIT License. See LICENSE in root directory for more information.
  */
 import { getInjectable } from "@ogre-tools/injectable";
-import { generate } from "selfsigned";
+import type { SelfSignedCert } from "selfsigned";
 import { lensProxyCertificateInjectionToken } from "../../common/certificate/lens-proxy-certificate-injection-token";
 
 const lensProxyCertificateInjectable = getInjectable({
   id: "lens-proxy-certificate",
   instantiate: () => {
-    const cert = generate([
-      { name: "commonName", value: "Lens Certificate Authority" },
-      { name: "organizationName", value: "Lens" },
-    ], {
-      keySize: 2048,
-      algorithm: "sha256",
-      days: 365,
-      extensions: [
-        {
-          name: "basicConstraints",
-          cA: true,
-        },
-        {
-          name: "subjectAltName",
-          altNames: [
-            { type: 2, value: "*.lens.app" },
-            { type: 2, value: "lens.app" },
-            { type: 2, value: "localhost" },
-            { type: 7, ip: "127.0.0.1" },
-          ],
-        },
-      ],
-    });
+    let certState: SelfSignedCert;
 
     return {
-      get: () => cert,
-      set: (): void => {
-        throw "cannot override cert";
+      get: () => certState,
+      set: (cert: SelfSignedCert): void => {
+        if (certState) {
+          throw "cannot override cert";
+        }
+        certState = cert;
       },
     };
   },
diff --git a/src/main/start-main-application/runnables/setup-lens-proxy-certificate.injectable.ts b/src/main/start-main-application/runnables/setup-lens-proxy-certificate.injectable.ts
new file mode 100644
index 0000000000..179aaed36b
--- /dev/null
+++ b/src/main/start-main-application/runnables/setup-lens-proxy-certificate.injectable.ts
@@ -0,0 +1,53 @@
+/**
+ * Copyright (c) OpenLens Authors. All rights reserved.
+ * Licensed under MIT License. See LICENSE in root directory for more information.
+ */
+import { getInjectable } from "@ogre-tools/injectable";
+import { generate } from "selfsigned";
+import lensProxyCertificateInjectable from "../../lens-proxy/lens-proxy-certificate.injectable";
+import { beforeElectronIsReadyInjectionToken } from "../runnable-tokens/before-electron-is-ready-injection-token";
+
+const setupLensProxyCertificateInjectable = getInjectable({
+  id: "setup-lens-proxy-certificate",
+
+  instantiate: (di) => {
+    const lensProxyCertificate = di.inject(lensProxyCertificateInjectable);
+
+    return {
+      id: "setup-lens-proxy-certificate",
+      run: () => {
+        const cert = generate([
+          { name: "commonName", value: "Lens Certificate Authority" },
+          { name: "organizationName", value: "Lens" },
+        ], {
+          keySize: 2048,
+          algorithm: "sha256",
+          days: 365,
+          extensions: [
+            {
+              name: "basicConstraints",
+              cA: true,
+            },
+            {
+              name: "subjectAltName",
+              altNames: [
+                { type: 2, value: "*.lens.app" },
+                { type: 2, value: "lens.app" },
+                { type: 2, value: "localhost" },
+                { type: 7, ip: "127.0.0.1" },
+              ],
+            },
+          ],
+        });
+
+        lensProxyCertificate.set(cert);
+
+        return undefined;
+      },
+    };
+  },
+
+  injectionToken: beforeElectronIsReadyInjectionToken,
+});
+
+export default setupLensProxyCertificateInjectable;