diff --git a/clustermesh/certs.go b/clustermesh/certs.go
index b45f7924a3..b16f7948ae 100644
--- a/clustermesh/certs.go
+++ b/clustermesh/certs.go
@@ -137,6 +137,7 @@ func (k *K8sClusterMesh) createClusterMeshClientCertificate(ctx context.Context)
 }
 
 func (k *K8sClusterMesh) createClusterMeshExternalWorkloadCertificate(ctx context.Context) error {
+	certName := getExternalWorkloadCertName()
 	certReq := &csr.CertificateRequest{
 		Names:      []csr.Name{{C: "US", ST: "San Francisco", L: "CA"}},
 		KeyRequest: csr.NewKeyRequest(),
@@ -147,16 +148,16 @@ func (k *K8sClusterMesh) createClusterMeshExternalWorkloadCertificate(ctx contex
 	signConf := &config.Signing{
 		Default: &config.SigningProfile{Expiry: 5 * 365 * 24 * time.Hour},
 		Profiles: map[string]*config.SigningProfile{
-			defaults.ClusterMeshExternalWorkloadSecretName: {
+			certName: {
 				Expiry: 5 * 365 * 24 * time.Hour,
 				Usage:  []string{"signing", "key encipherment", "server auth", "client auth"},
 			},
 		},
 	}
 
-	cert, key, err := k.certManager.GenerateCertificate(defaults.ClusterMeshExternalWorkloadSecretName, certReq, signConf)
+	cert, key, err := k.certManager.GenerateCertificate(certName, certReq, signConf)
 	if err != nil {
-		return fmt.Errorf("unable to generate certificate %s: %w", defaults.ClusterMeshExternalWorkloadSecretName, err)
+		return fmt.Errorf("unable to generate certificate %s: %w", certName, err)
 	}
 
 	data := map[string][]byte{
@@ -165,9 +166,9 @@ func (k *K8sClusterMesh) createClusterMeshExternalWorkloadCertificate(ctx contex
 		defaults.CASecretCertName: k.certManager.CACertBytes(),
 	}
 
-	_, err = k.client.CreateSecret(ctx, k.params.Namespace, k8s.NewTLSSecret(defaults.ClusterMeshExternalWorkloadSecretName, k.params.Namespace, data), metav1.CreateOptions{})
+	_, err = k.client.CreateSecret(ctx, k.params.Namespace, k8s.NewTLSSecret(certName, k.params.Namespace, data), metav1.CreateOptions{})
 	if err != nil {
-		return fmt.Errorf("unable to create secret %s/%s: %w", k.params.Namespace, defaults.ClusterMeshExternalWorkloadSecretName, err)
+		return fmt.Errorf("unable to create secret %s/%s: %w", k.params.Namespace, certName, err)
 	}
 
 	return nil
@@ -178,7 +179,7 @@ func (k *K8sClusterMesh) deleteCertificates(ctx context.Context) error {
 	k.client.DeleteSecret(ctx, k.params.Namespace, defaults.ClusterMeshServerSecretName, metav1.DeleteOptions{})
 	k.client.DeleteSecret(ctx, k.params.Namespace, defaults.ClusterMeshAdminSecretName, metav1.DeleteOptions{})
 	k.client.DeleteSecret(ctx, k.params.Namespace, defaults.ClusterMeshRemoteSecretName, metav1.DeleteOptions{})
-	k.client.DeleteSecret(ctx, k.params.Namespace, defaults.ClusterMeshExternalWorkloadSecretName, metav1.DeleteOptions{})
+	k.client.DeleteSecret(ctx, k.params.Namespace, getExternalWorkloadCertName(), metav1.DeleteOptions{})
 	k.client.DeleteSecret(ctx, k.params.Namespace, defaults.ClusterMeshClientSecretName, metav1.DeleteOptions{})
 	return nil
 }
diff --git a/clustermesh/clustermesh.go b/clustermesh/clustermesh.go
index d5c7f1b295..f8a065ed0d 100644
--- a/clustermesh/clustermesh.go
+++ b/clustermesh/clustermesh.go
@@ -674,6 +674,13 @@ func getDeprecatedName(secretName string) string {
 	}
 }
 
+func getExternalWorkloadCertName() string {
+	if utils.IsInHelmMode() {
+		return defaults.ClusterMeshClientSecretName
+	}
+	return defaults.ClusterMeshExternalWorkloadSecretName
+}
+
 // getDeprecatedSecret attempts to retrieve a secret using one or more deprecated names
 // There are now multiple "layers" of deprecated secret names, so we call this function recursively if needed
 func (k *K8sClusterMesh) getDeprecatedSecret(ctx context.Context, client k8sClusterMeshImplementation, secretName string, defaultName string) (*corev1.Secret, error) {
@@ -760,7 +767,7 @@ func (k *K8sClusterMesh) extractAccessInformation(ctx context.Context, client k8
 	// ExternalWorkload secret is created by 'clustermesh enable' command, but it isn't created by Helm. We should try to load this secret only when needed
 	var externalWorkloadKey, externalWorkloadCert []byte
 	if getExternalWorkLoadSecret {
-		externalWorkloadSecret, err := k.getSecret(ctx, client, defaults.ClusterMeshExternalWorkloadSecretName)
+		externalWorkloadSecret, err := k.getSecret(ctx, client, getExternalWorkloadCertName())
 		if err != nil {
 			return nil, fmt.Errorf("unable to get external workload secret to access clustermesh service")
 		}
@@ -1776,6 +1783,7 @@ func EnableWithHelm(ctx context.Context, k8sClient *k8s.Client, params Parameter
 	helmStrValues := []string{
 		"clustermesh.useAPIServer=true",
 		fmt.Sprintf("clustermesh.apiserver.service.type=%s", params.ServiceType),
+		"externalWorkloads.enabled=true",
 	}
 	vals, err := helm.ParseVals(helmStrValues)
 	if err != nil {
@@ -1795,6 +1803,7 @@ func EnableWithHelm(ctx context.Context, k8sClient *k8s.Client, params Parameter
 func DisableWithHelm(ctx context.Context, k8sClient *k8s.Client, params Parameters) error {
 	helmStrValues := []string{
 		"clustermesh.useAPIServer=false",
+		"externalWorkloads.enabled=false",
 	}
 	vals, err := helm.ParseVals(helmStrValues)
 	if err != nil {