diff --git a/docs/deployment/schedulers/k3s.md b/docs/deployment/schedulers/k3s.md
index 69de38b3d..975c51061 100644
--- a/docs/deployment/schedulers/k3s.md
+++ b/docs/deployment/schedulers/k3s.md
@@ -337,6 +337,8 @@ When a certificate is removed:
 - The app is automatically redeployed to update the ingress configuration
 - If Let's Encrypt is configured, automatic certificate generation will resume
 
+When an app is destroyed, any associated TLS secret is automatically cleaned up.
+
 ### Customizing Annotations and Labels
 
 > [!NOTE]
diff --git a/plugins/scheduler-k3s/triggers.go b/plugins/scheduler-k3s/triggers.go
index da6d531a8..a394d87ec 100644
--- a/plugins/scheduler-k3s/triggers.go
+++ b/plugins/scheduler-k3s/triggers.go
@@ -1716,6 +1716,12 @@ func TriggerSchedulerPostDelete(scheduler string, appName string) error {
 		return fmt.Errorf("Error uninstalling chart: %w", err)
 	}
 
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+	if _, err := DeleteTLSSecret(ctx, appName); err != nil {
+		common.LogWarn(fmt.Sprintf("Error deleting TLS secret for %s: %v", appName, err))
+	}
+
 	return nil
 }
 
diff --git a/tests/unit/scheduler-k3s-certs-2.bats b/tests/unit/scheduler-k3s-certs-2.bats
new file mode 100644
index 000000000..c2ecdd703
--- /dev/null
+++ b/tests/unit/scheduler-k3s-certs-2.bats
@@ -0,0 +1,71 @@
+#!/usr/bin/env bats
+
+load test_helper
+
+TEST_APP="rdmtestapp"
+
+setup_local_tls() {
+  TLS=$BATS_TMPDIR/tls
+  mkdir -p $TLS
+  tar xf $BATS_TEST_DIRNAME/server_ssl.tar -C $TLS
+  sudo chown -R dokku:dokku $TLS
+}
+
+teardown_local_tls() {
+  TLS=$BATS_TMPDIR/tls
+  rm -R $TLS
+}
+
+setup() {
+  uninstall_k3s || true
+  global_setup
+  dokku nginx:stop
+  export KUBECONFIG="/etc/rancher/k3s/k3s.yaml"
+  setup_local_tls
+}
+
+teardown() {
+  global_teardown
+  dokku nginx:start
+  uninstall_k3s || true
+  teardown_local_tls
+}
+
+@test "(scheduler-k3s:certs) app destruction deletes k8s TLS secret" {
+  if [[ -z "$DOCKERHUB_USERNAME" ]] || [[ -z "$DOCKERHUB_TOKEN" ]]; then
+    skip "skipping due to missing docker.io credentials DOCKERHUB_USERNAME:DOCKERHUB_TOKEN"
+  fi
+
+  INGRESS_CLASS=nginx install_k3s
+
+  run /bin/bash -c "dokku apps:create $TEST_APP"
+  echo "output: $output"
+  echo "status: $status"
+  assert_success
+
+  run /bin/bash -c "dokku scheduler:set $TEST_APP selected k3s"
+  echo "output: $output"
+  echo "status: $status"
+  assert_success
+
+  run /bin/bash -c "dokku certs:add $TEST_APP $BATS_TMPDIR/tls/server.crt $BATS_TMPDIR/tls/server.key"
+  echo "output: $output"
+  echo "status: $status"
+  assert_success
+  assert_output_contains "Installing TLS certificate for $TEST_APP"
+
+  run /bin/bash -c "kubectl get secret tls-$TEST_APP -n default"
+  echo "output: $output"
+  echo "status: $status"
+  assert_success
+
+  run /bin/bash -c "dokku apps:destroy $TEST_APP --force"
+  echo "output: $output"
+  echo "status: $status"
+  assert_success
+
+  run /bin/bash -c "kubectl get secret tls-$TEST_APP -n default"
+  echo "output: $output"
+  echo "status: $status"
+  assert_failure
+}