diff --git a/nixos/modules/issuer.nix b/nixos/modules/issuer.nix
index da56a43012b7e53a6d5ced17123eb3d898b24f3e..ce1f928b2738066811425a3c7e3e3c85c03ac272 100644
--- a/nixos/modules/issuer.nix
+++ b/nixos/modules/issuer.nix
@@ -182,11 +182,17 @@ in {
           "${cfg.package}/bin/PaymentServer-exe ${originArgs} ${issuerArgs} ${databaseArgs} ${httpsArgs} ${stripeArgs}";
     };
 
-    # Certificate renewal.  We must declare that we *require* it in our
-    # service above.
-    systemd.services."${certServiceName}" = {
-      enable = true;
+    # Certificate renewal.  A short-lived service meant to be repeatedly
+    # activated to request a new certificate be issued, if the current one is
+    # close to expiring.
+    systemd.services.${certServiceName} = {
+      enable = cfg.tls;
       description = "Certificate ${domain}";
+      # Activate this unit periodically so that certbot can determine if the
+      # certificate expiration time is close enough to warrant a renewal
+      # request.
+      startAt = "weekly";
+
       serviceConfig = {
         ExecStart =
         let
@@ -201,6 +207,7 @@ in {
           '';
       };
     };
+
     # Open 80 and 443 for the certbot HTTP server and the PaymentServer HTTPS server.
     networking.firewall.allowedTCPPorts = [
       80