diff --git a/CHANGELOG.md b/CHANGELOG.md
index 929f97efc4..39010572e3 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -54,6 +54,7 @@ BUG FIXES:
 * Fix VM actions where Workspace shared storage doesn't allow shared key access ([#4222](https://github.com/microsoft/AzureTRE/issues/4222))
 * Fix public exposure in Guacamole service ([[#4199](https://github.com/microsoft/AzureTRE/issues/4199)])
 * Fix Azure ML network tags to use name rather than ID ([[#4151](https://github.com/microsoft/AzureTRE/issues/4151)])
+* Certs shared service: Secret nexus-ssl-password is currently in a deleted but recoverable state ([#4294](https://github.com/microsoft/AzureTRE/issues/4294)])
 
 COMPONENTS:
 
diff --git a/templates/shared_services/certs/scripts/letsencrypt.sh b/templates/shared_services/certs/scripts/letsencrypt.sh
index 4339990f43..b83f87afd6 100755
--- a/templates/shared_services/certs/scripts/letsencrypt.sh
+++ b/templates/shared_services/certs/scripts/letsencrypt.sh
@@ -122,8 +122,15 @@ sid=$(az keyvault certificate import \
     --password "${CERT_PASSWORD}" \
     | jq -r '.sid')
 
+# Recover deleted secret (if exists) to prevent error when saving in following step
+password_name="${cert_name}-password"
+if az keyvault secret show-deleted --vault-name "$keyvault_name" --name "$password_name" &>/dev/null; then
+    echo "Found deleted secret '$password_name'. Recovering..."
+    az keyvault secret recover --vault-name "$keyvault_name" --name "$password_name"
+fi
+
 echo "Saving certificate password to KV with key ${cert_name}-password"
-az keyvault secret set --name "${cert_name}"-password \
+az keyvault secret set --name "$password_name" \
   --vault-name "${keyvault_name}" \
   --value "${CERT_PASSWORD}"