The present disclosure is related to devices, systems, and methods for TLS server certificate replacement using a notification mechanism. An example method can include establishing a first secure TLS connection between a client and a server verified by a first TLS certificate, creating a subscription for the client to receive a notification associated with a TLS certificate change, loading a second certificate to replace the first certificate, providing a notification to the client, wherein the notification includes the second certificate and a web token scoped to the client, and establishing a second secure TLS connection verified by the second TLS certificate responsive to the client verifying the web token.