diff --git a/managed/src/main/java/com/yugabyte/yw/commissioner/tasks/upgrade/TlsToggle.java b/managed/src/main/java/com/yugabyte/yw/commissioner/tasks/upgrade/TlsToggle.java
index 7efc04e2aee..842c7028cf3 100644
--- a/managed/src/main/java/com/yugabyte/yw/commissioner/tasks/upgrade/TlsToggle.java
+++ b/managed/src/main/java/com/yugabyte/yw/commissioner/tasks/upgrade/TlsToggle.java
@@ -101,6 +101,10 @@ public void run() {
 
   private void createRound1GFlagUpdateTasks(MastersAndTservers nodes) {
     if (getNodeToNodeChange() < 0) {
+      // Skip running round1 if Node2Node certs have expired
+      if (CertificateHelper.checkNode2NodeCertsExpiry(getUniverse())) {
+        return;
+      }
       // Setting allow_insecure to true can be done in non-restart way
       createNonRestartUpgradeTaskFlow(
           (List<NodeDetails> nodeList, Set<ServerType> processTypes) -> {
@@ -313,6 +317,12 @@ private AnsibleConfigureServers getAnsibleConfigureServerTaskForYbcToggleTls(Nod
     return task;
   }
 
+  /*
+   * Returns:
+   * 1: If task is to enable node-to-node encryption
+   * -1: If task is to disable node-to-node encryption
+   * 0: If there is no change in node-to-node encryption
+   */
   private int getNodeToNodeChange() {
     return getUserIntent().enableNodeToNodeEncrypt != taskParams().enableNodeToNodeEncrypt
         ? (taskParams().enableNodeToNodeEncrypt ? 1 : -1)