diff --git a/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultCertificates.java b/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultCertificates.java
index 2b2810502b3a8..e902a8c20d567 100644
--- a/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultCertificates.java
+++ b/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultCertificates.java
@@ -131,12 +131,16 @@ public Map<String, Key> getCertificateKeys() {
     }
 
     private void refreshCertificatesIfNeeded() {
-        if (certificatesNeedRefresh()) {
+        if (certificatesNeedRefresh()) { // Avoid acquiring the lock as much as possible.
             refreshCertificates();
         }
     }
 
-    private void refreshCertificates() {
+    private synchronized void refreshCertificates() {
+        if (!certificatesNeedRefresh()) {
+            return; // After obtaining the lock, avoid doing too many operations.
+        }
+        // When refreshing certificates, the update of the 3 variables should be an atomic operation.
         aliases = keyVaultClient.getAliases();
         certificateKeys.clear();
         certificates.clear();