diff --git a/authority/authority.go b/authority/authority.go
index 4518abdf..72fa081f 100644
--- a/authority/authority.go
+++ b/authority/authority.go
@@ -382,3 +382,10 @@ func (a *Authority) Shutdown() error {
 	}
 	return a.db.Shutdown()
 }
+
+// CloseForReload closes internal services, to allow a safe reload.
+func (a *Authority) CloseForReload() {
+	if err := a.keyManager.Close(); err != nil {
+		log.Printf("error closing the key manager: %v", err)
+	}
+}
diff --git a/authority/authority_test.go b/authority/authority_test.go
index 8b003572..e6625d6a 100644
--- a/authority/authority_test.go
+++ b/authority/authority_test.go
@@ -306,3 +306,17 @@ func TestNewEmbedded_GetTLSCertificate(t *testing.T) {
 	assert.True(t, cert.Leaf.IPAddresses[0].Equal(net.ParseIP("127.0.0.1")))
 	assert.True(t, cert.Leaf.IPAddresses[1].Equal(net.ParseIP("::1")))
 }
+
+func TestAuthority_CloseForReload(t *testing.T) {
+	tests := []struct {
+		name string
+		auth *Authority
+	}{
+		{"ok", testAuthority(t)},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			tt.auth.CloseForReload()
+		})
+	}
+}
diff --git a/ca/ca.go b/ca/ca.go
index 3c57b759..c43692f2 100644
--- a/ca/ca.go
+++ b/ca/ca.go
@@ -227,9 +227,11 @@ func (ca *CA) Reload() error {
 	}
 
 	// 1. Stop previous renewer
-	// 2. Replace ca properties
+	// 2. Close key manager
+	// 3. Replace ca properties
 	// Do not replace ca.srv
 	ca.renewer.Stop()
+	ca.auth.CloseForReload()
 	ca.auth = newCA.auth
 	ca.config = newCA.config
 	ca.opts = newCA.opts