diff --git a/doc/source/configuration/openbao.rst b/doc/source/configuration/openbao.rst
index f82f8b6b3..ec6f97898 100644
--- a/doc/source/configuration/openbao.rst
+++ b/doc/source/configuration/openbao.rst
@@ -494,7 +494,7 @@ To enable TLS for Pulp we first need to generate the certificates and the procee
 
    .. code-block::
 
-      kayobe seed service reconfigure -t seed-deploy-containers -kt none
+      kayobe seed service deploy -t seed-deploy-containers -kt none
 
 5. Set CA for docker registry
 
diff --git a/etc/kayobe/ansible/pulp/pulp-generate-certificate.yml b/etc/kayobe/ansible/pulp/pulp-generate-certificate.yml
index 3c2f25889..f4bd7830d 100644
--- a/etc/kayobe/ansible/pulp/pulp-generate-certificate.yml
+++ b/etc/kayobe/ansible/pulp/pulp-generate-certificate.yml
@@ -17,6 +17,17 @@
         file: "{{ kayobe_env_config_path }}/openbao/seed-openbao-keys.json"
         name: openbao_keys
 
+    - name: Check OpenBao seal status
+      ansible.builtin.uri:
+        url: "{{ openbao_api_addr }}/v1/sys/seal-status"
+        return_content: true
+      register: openbao_seal_status
+
+    - name: Assert that OpenBao is unsealed
+      ansible.builtin.assert:
+        that: not openbao_seal_status.json.sealed
+        fail_msg: "OpenBao is sealed. Please unseal it before continuing."
+
     - name: Issue Pulp certificate
       hashivault_pki_cert_issue:  # noqa: fqcn
         url: "{{ openbao_api_addr }}"