diff --git a/reg-tests/ssl/set_ssl_server_cert.vtc b/reg-tests/ssl/set_ssl_server_cert.vtc
index 412e9f05b..ccf78873b 100644
--- a/reg-tests/ssl/set_ssl_server_cert.vtc
+++ b/reg-tests/ssl/set_ssl_server_cert.vtc
@@ -34,7 +34,7 @@ haproxy h1 -conf {
     listen clear-lst
         bind "fd@${clearlst}"
         retries 0 # 2nd SSL connection must fail so skip the retry
-        server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/client1.pem no-ssl-reuse
+        server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/client1.pem
 
     listen ssl-lst
         # crt: certificate of the server
diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c
index e8a20c38d..693252635 100644
--- a/src/ssl_ckch.c
+++ b/src/ssl_ckch.c
@@ -1399,17 +1399,26 @@ static int cli_io_handler_commit_cert(struct appctx *appctx)
 				list_for_each_entry_safe(ckchi, ckchis, &new_ckchs->ckch_inst, by_ckchs) {
 					/* The bind_conf will be null on server ckch_instances. */
 					if (ckchi->is_server_instance) {
+						int i;
+
 						/* The certificate update on the server side (backend)
 						 * can be done by rewritting a single pointer so no
 						 * locks are needed here. */
 						/* free the server current SSL_CTX */
 						SSL_CTX_free(ckchi->server->ssl_ctx.ctx);
 						/* Actual ssl context update */
+						thread_isolate();
 						SSL_CTX_up_ref(ckchi->ctx);
 						ckchi->server->ssl_ctx.ctx = ckchi->ctx;
-						__ha_barrier_store();
 						ckchi->server->ssl_ctx.inst = ckchi;
 
+						/* flush the session cache of the server */
+						for (i = 0; i < global.nbthread; i++) {
+							free(ckchi->server->ssl_ctx.reused_sess[i].ptr);
+							ckchi->server->ssl_ctx.reused_sess[i].ptr = NULL;
+						}
+						thread_release();
+
 					} else {
 						HA_RWLOCK_WRLOCK(SNI_LOCK, &ckchi->bind_conf->sni_lock);
 						ssl_sock_load_cert_sni(ckchi, ckchi->bind_conf);